Capabilities Change Vulnerability in MailPress
As detailed in other post about a vulnerability in the MailPress plugin, we recently had a request for a file from that plugin on this website, which since we are not using the plugin, is usually an indication that someone is probing for usage of a plugin before exploiting something in it. While we could not find a vulnerability that we think would be the one that a hacker would be trying to exploit, we did find a local file inclusion vulnerability that is serious and exploitable in the plugin’s default state. We also found a capabilities change vulnerability that is exploitable in the plugin when one of the the plugin’s built-in addons, Roles_and_capabilities, is enabled. That vulnerability would be very serious if non trusted users had accounts on the website .
As mentioned in greater detail in the other post, through the file /mp-includes/action.php it is possible for anyone to make requests to functions that have names that start “mp_action_”. One such action is mp_action_r_and_c(), located in the file /mp-content/add-ons/MailPress_roles_and_capabilities.php. The function has no security checks in place as you can see below, so anyone can add or remove capabilities to WordPress roles if the addon is enabled: [Read more]