Login

Tag Archives: admin_action_

15 Aug 2016

Authenticated User Deletion Vulnerability in Keypic

One common cause of vulnerabilities being discovered in WordPress plugins these day is functions made accessible through WordPress’ AJAX functionality that fail to check if the user making the request should accessing them. Since anyone who is logged in can make a request to them by default, if there isn’t any check done to insure only intended users are accessing them that can lead to functionality only intended to accessed by Administrators being accessible to people who shouldn’t have access. Recently we found that there is a related issue with the seemingly obscure action hook admin_action_, which also allows anyone logged in to access the connected functions. While do a quick look over security plugins for vulnerabilities caused by a failure to proper restrict access to these, we found that with the current version of the plugin Keypic, 2.1.2, that anyone logged in to WordPress can delete other users.

In the file /admin.php the admin_action_ for the function keypic_report_spam_and_delete_user() is registered: [Read more]

5 Jul 2016

Authenticated Information Disclosure Vulnerability in Log Emails

Recently we took a quick look over plugins that log emails sent through WordPress. Those emails have the potential to contain sensitive information, so the security of them is important. In two cases we found that the plugin allowed any logged in user to view emails logged by the plugin. In the case of the Log Emails plugin we found that issue went further than the other plugin, as it not only allowed you to view logged emails, but also to view any thing else stored as a post. That includes not only posts, but also pages, and any content that a plugin might store in that way, things like logged emails from this plugin.

The other plugin’s issue was due to making the function that allows viewing logged emails accessible via AJAX and then not checking to insure that the user should be allowed to view it. This plugin issues comes involves a rather obscure action hook admin_action_, which about the only reference we could find to was this StackExchange question. The practical effect is the same as this makes the function available to anyone logged in. [Read more]