19 Sep 2017

Authenticated Information Disclosure Vulnerability in Share Drafts Publicly

The changelog entry for version 1.1.4 of Share Drafts Publicly is “Added security enhancements.”. In looking over that we found a change was made to fix a cross-site request forgery (CSRF) vulnerability that existed with AJAX functionality to share a draft of a post or page publicly. The exploitability of that is limited since an attacker that causes a draft to be shared publicly would still have to guess a 6 character secret key generated using wp_generate_password() to be able to view the draft.

With a CSRF vulnerability you cannot see the result of the request because it is being made by someone else, but the response to the request here does return the secret key needed to view the draft, so there was the potential that WordPress users that don’t have access to a draft could use the functionality to view it since the AJAX request was accessible to anyone logged in to WordPress. In version 1.1.3 we found that anyone logged in could make any draft public. In looking at the changes made in 1.1.4, we found there was no change to deal with that issue.

In version 1.1.4 because of the new CSRF protection, a user would now need to have access to a valid nonce to be able to make a draft public.

The nonce is generated in the function scripts(), which is called when enqueueing admin scripts (in the file /share-drafts-publicly.php):

52
add_action( 'admin_enqueue_scripts', array( $this, 'scripts' ) );

The function will include the nonce when the function enqueue_script() is true:

77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
public function scripts() {
 
	// Localize strings.
	$localization = array(
		'nonce'  => wp_create_nonce( 'share-drafts-publicly' ),
		'postId' => get_the_ID() ? get_the_ID() : ( isset( $_GET['post'] ) ? absint( $_GET['post'] ) : 0 ),
	);
 
	wp_register_script( 'share-drafts-publicly', plugin_dir_url( __FILE__ ) . 'js/share-drafts-publicly.js', array( 'jquery' ), filemtime( plugin_dir_path( __FILE__ ) . 'js/share-drafts-publicly.js' ), true );
	wp_localize_script( 'share-drafts-publicly', 'shareDraftsPublicly', $localization );
 
	if ( $this->enqueue_script() ) {
		wp_enqueue_script( 'share-drafts-publicly' );
	}
 
}

That returns true when on the page /wp-admin/post.php:

120
121
122
123
124
125
126
127
public function enqueue_script() {
 
	// Get current page.
	global $pagenow;
 
	return 'post.php' === $pagenow;
 
}

So as long as a user can visit the page /wp-admin/post.php they would now be able to make any draft public. Without any plugins making something using that page available to lower level users, only users at the Contributor-level or above could get access to the nonce normally.

Less than an hour after we notified the developer of the issue they released version 1.1.5, which fixed the issue by adding the following code to the beginning of the functions make_draft_public() and make_draft_private():

if ( ! current_user_can( 'edit_posts', $post_id ) ) {
	return false;
}

That makes sure the user trying to make a draft public or private is able to edit it.

Proof of Concept

When logged in as a user that has access to some URL that uses /wp-admin/post.php, visiting the following URL will make the specified draft public.

Make sure to replace “[path to WordPress]” with the location of WordPress, “[post ID]” with the ID of the draft post you want to make public, and “[valid nonce] with a valid nonce that can be found on the URL that uses /wp-admin/post.php on the line that begins “var shareDraftsPublicly”.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=share_drafts_publicly&make=public&post_id=[post ID]&nonce=[valid nonce]

Timeline

  • September 18, 2017 – Developer notified.
  • September 18, 2017 – Version 1.1.5 released, which fixes issue.
  • September 18, 2017 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.