09 Aug

Authenticated Information Disclosure Vulnerability in Cherry Services List

While looking into a possible expansion of what we check during our security review of WordPress plugins  chosen by our customers we found that the plugin Cherry Services List had an authenticated information disclosure vulnerability. That was caused by the fact that contributor and author level users could duplicate posts that they would not have been able to edit. That could for example, have allowed them to gain access to the contents of password protected posts.

The plugin makes the function duplicate_post_as_draft() available to anyone logged in through the admin_action action (in the file /admin/includes/class-cherry-services-meta.php):

41
add_action( 'admin_action_cherry_services_clone_post', array( $this, 'duplicate_post_as_draft' ) );

The only restriction that the plugin placed on accessing that function’s code and duplicating a post as of version 1.4.1 is that the user has the edit_posts capability, which is normally possessed by contributor level and above users:

85
86
87
88
89
function duplicate_post_as_draft() {
 
	if ( ! current_user_can( 'edit_posts' ) ) {
		wp_die( __( 'You don\'t have permissions to do this', 'cherry-services' ) );
	}

After we notified the developer of the plugin of the issue, version 1.4.2 was released, which fixes the vulnerability by checking if the user has the capability to edit the post being duplicated:

104
105
106
if ( ! current_user_can( 'edit_post', $_REQUEST['post'] ) ) {
	wp_die( 'You don\'t have permissions to do this!', 'cherry-services' );
}

Proof of Concept

Log in to WordPress as a contributor-level user and visiting the following URL, with the value of “[path to WordPress]” replaced with the location of WordPress and  “[post ID]” replaced with the value of a password protected post on the website:

http://[path to WordPress]/wp-admin/admin.php?action=cherry_services_clone_post&post=[post ID]

Timeline

  • August 8, 2017 –  Developer notified.
  • August 9. 2017 – Version 1.4.2 released, which fixes vulnerability.