Patchstack Claimed to Provide “Early Alert and Protection” From “Vulnerabilities” Where Attacker Would Already Have Control of Website
Last week, we noted that the WordPress security provider Patchstack’s new “early alerts and protection” from plugin vulnerabilities involved them being weeks behind offering protection that keeping plugins updated would have provided and failing to offer that for a vulnerability likely to be exploited by a hacker. At the end of the week, they put out information on what they claimed were vulnerabilities that had existed in a plugin, Easy WP SMTP, used by at least one of our customers, so we went to check over that. What we found is that they were not vulnerabilities, as the “attacker” would already need to have control of the website, because they would need to be logged in as an Administrator.
One of those was claimed to be an authenticated arbitrary file deletion vulnerability, described this way:
This could allow a malicious actor to delete files from your website. If core files are deleted from your website, it could cause your site to break and stop functioning.
Another of those was claimed to be an authenticated arbitrary file read vulnerability and was described this way:
This could allow a malicious actor to see all files in a given directory or determine if certain files/directories exist in given folder. This can be used to exploit other weaknesses in the system
The final one was claimed to be authenticated remote code execution vulnerability and the description sounds the most serious:
This could allow a malicious actor to execute commands on the target website. This can be used to gain backdoor access to then take full control of the website.
With all three, they claimed “required privilege” was the Administrator role. Someone logged in to WordPress as an Administrator already has full control of the website. There is a quote used in the security industry for that situation “It rather involved being on the other side of this airtight hatchway.”, which is from the book The Hitchhiker’s Guide to the Galaxy by Douglas Adams.
Unfortunately, you can’t stop looking at a claim like that at that point, as we have found that sometimes there really is a vulnerability. One reason is that it sometimes turns out that lower level users would have access in addition to Administrators (something we will be covering tomorrow involving a competitor of Patchstack, WPScan).
Almost no additional information was given by Patchstack to double check their claims. They did claim that these were fixed in version 1.5.2 of the plugin. The changelog for that version states they removed export/import functionality in that version:
Removed the export/import settings option. There will be a separate free addon to offer the export/import settings option.
So presumably, the claimed vulnerabilities existed in that. You can see the code removed here. The code itself doesn’t appear to allow doing any of the things being claimed there. For example, there isn’t anything in that code that would allow deleting files. What you could do with the code is update settings.
The file deletion claim would appear to be connected to the function log() in the plugin’s main file, which will delete a file based on a plugin setting:
484 485 486 487 488 489 490 491 492 | public function log( $str, $overwrite = false ) { try { $log_file_name = ''; if ( isset( $this->opts['smtp_settings']['log_file_name'] ) ) { $log_file_name = $this->opts['smtp_settings']['log_file_name']; } if ( empty( $log_file_name ) || $overwrite ) { if ( ! empty( $log_file_name ) && file_exists( plugin_dir_path( __FILE__ ) . $log_file_name ) ) { unlink( plugin_dir_path( __FILE__ ) . $log_file_name ); |
That code wasn’t changed, so an Administrator could still do what is claimed to be a vulnerability by changing the setting in another way. So if there is an insecurity, there still is one, at least when it comes to file deletion.
What still matters is if this was really limited to Administrators and the answer is yes. To access the code before it was removed, someone had to be logged in to WordPress with the manage_options capability:
324 | if ( current_user_can( 'manage_options' ) ) { |
And a valid nonce was checked, which would prevent cross-site request forgery (CSRF):
383 | check_admin_referer( 'easy_wp_smtp_import_settings', 'easy_wp_smtp_import_settings_nonce' ); |