Vulnerability in WordPress Software Bill of Materials (SBOM) Plugin Allows Anyone Access to SBOM for Website
A software bill of materials (SBOM) is used to provide information on the software components that make up a larger software system. There has been a lot of focus on them recently as a way to try to better detect and address known vulnerabilities in systems. Generating them often entails using other software. That software could, in turn, have vulnerabilities. That turns out to be the case with a WordPress plugin we just we checked over.
While looking to see if there was an existing solution for generating SBOMs for WordPress websites, we ran across WpBom, which has been available on the WordPress plugin directory since December 2021. It appears it hasn’t gotten a security review, as there is a fairly serious vulnerability. It turns out that anyone can access to the SBOM file it generates, so an attacker could gain additional information on the software on the website. It could be worse, in July of last year, we found that a very popular security plugin was disclosing the vulnerabilities that were known to exist in software on the website.
The vulnerability is caused by two security failures.
The plugins’ main file registers the function json() in the file /src/Controllers/CycloneDXController.php to run during admin_init:
24 | add_action( 'admin_init', array( __NAMESPACE__ . '\Controllers\CycloneDXController', 'json' ) ); |
That makes the function accessible to even those not logged in to WordPress if they access the right URL.
That function checks for a valid nonce to prevent cross-site request forgery (CSRF) and then provides a download of the SBOM:
182 183 184 185 186 187 188 189 190 191 192 193 | public static function json() { if ( isset( $_GET['_wpnonce'] ) && ! empty( $_GET['_wpnonce'] ) ) { if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'wpbom' ) ) { return; } } if ( isset( $_GET['wpbom_download'] ) && ! empty( $_GET['wpbom_download'] ) ) { header( 'Content-Disposition: attachment; filename="bom.json"' ); wp_send_json( self::bom() ); } } |
There should be a capability check to limit access to only those intended to have access, but that is missing. While not intended for that purpose, normally a nonce check would do the equivalent of that check. What has gone wrong with this plugin is a good example of why you shouldn’t rely on that nonce check to do a capability. Looking closely at the nonce check, it turns out that it can easily be bypassed. That is caused by the nonce check only occurring if a GET input named _wpnonce is sent with the request:
if ( isset( $_GET['_wpnonce'] ) && ! empty( $_GET['_wpnonce'] ) ) { if ( ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['_wpnonce'] ) ), 'wpbom' ) ) { |
So if you don’t send that with a request, the SBOM is downloadable even for those not logged in to WordPress, as can be confirmed with the proof of concept below.
This is a good reminder that when testing to make sure nonce checks are working, try it with an incorrect nonce value provided and also without sending one at all.
WordPress Causes Full Disclosure
As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)
You can notify the developer of this issue on the forum as well.
After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
Proof of Concept
The following proof of concept will provide a download with the software bill of materials.
Replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin-post.php?wpbom_download=true