WPMasterToolKit

One of the reasons why WordPress plugins continue to be so insecure is that unethical security providers don't do basic vetting work before claiming that vulnerabilities exist and that they have been fixed. Unsurprisingly, they don't show the work, as it were, as to how they came to claim there was a vulnerability. That often leads to real security issues and vulnerabilities remaining in plugins after they take credit for them being fixed. That was the case recently with a situation that involved one of those unethical providers, Wordfence, and WordPress. Last week, our monitoring systems flag the possibility of a vulnerability in the plugin WPMasterToolKit. At the time, the plugin was closed on the WordPress Plugin Directory. The reason for the closure appears to be a claim by Wordfence of a vulnerability in the plugin. The author of the plugin stated: If you’re using the plugin, it’s the File Manager module that has this vulnerability. But to exploit this vulnerability, you already need to be an administrator on WordPress. That matches up with a claim by Wordfence: The WPMasterToolKit (WPMTK) – All in one plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to read and modify the contents of arbitrary files on the server, which can contain sensitive information. It turns out what our systems warned us about was related to that. What we immediately noticed is that the code Wordfence was claiming was vulnerable and the code we were checking are not actually restricted to Administrators. If Wordfence had shown their work, it would be easy to see that, but they didn't. The plugin was subsequently reopened without the insecurity being properly addressed. That means the team running the WordPress Plugin Directory didn't properly vet this either. That shouldn't come as a surprise considering their track record and their hostility towards those trying to work with them address that. We have reached out to the developer about that and offered to help them address it. For everyone else's edification, let's see what is going on here. While Wordfence didn't provide even basic details, the code in question exists in the function handle_actions() in the file /admin/modules/core/class-file-manager.php. That is confirmed by the changes that were made to the plugin. Looking at the latest version of the plugin, what you see is that code doesn't include a capability check to limit access: private function handle_actions() { global $wp_filesystem; if ( ! function_exists( 'WP_Filesystem' ) ) { require_once ABSPATH . 'wp-admin/includes/file.php'; } WP_Filesystem(); $this->set_global_variables(); switch (true) { case isset( $_POST, $_POST ) && isset( $_POST ): $nonce sanitize_text_field( wp_unslash( $_POST ?? '' ) ); if ( ! wp_verify_nonce( $nonce, $this->user_nonce ) ) { header( 'HTTP/1.0 401 Unauthorized' ); die( esc_html__( 'Invalid token', 'wpmastertoolkit' ) ); } // Search if ( $_POST "search" ) { $dir sanitize_text_field( wp_unslash( $_POST ?? '' ) ) "." ? '' : sanitize_text_field( wp_unslash( $_POST ?? '' ) ); $response $this->scan( $this->fm_clean_path( $dir ), sanitize_text_field( wp_unslash( $_POST ?? '' ) ) ); echo json_encode($response); exit(); } // Save editor file if ( $_POST "save" ) { if ( ! is_dir( $this->PATH ) ) { wp_safe_redirect( $this->FM_SELF_URL . '?pagewp-mastertoolkit-settings-file-manager&p' ); exit; } $file sanitize_text_field( wp_unslash( $_GET ?? '' ) ); There is a nonce check included for the portion of the code shown there, which would normally limit access to it to only users with a valid nonce. Other portions don't include that nonce check, so anyone can access it if they can access the function. For example, this portion of the code that allows renaming a file doesn't include a nonce check: case isset( $_GET, $_GET ): $copy urldecode( sanitize_text_field( wp_unslash( $_GET ) ) ); $copy $this->fm_clean_path( $copy ); if ( $copy '' ) { $this->set_notice( __( 'Source path not defined', 'wpmastertoolkit' ) ); wp_safe_redirect( $this->FM_SELF_URL . '?pagewp-mastertoolkit-settings-file-manager&p' . urlencode( $this->FM_PATH ) ); exit; } $from $this->FM_ROOT_PATH . '/' . $copy; $dest $this->FM_ROOT_PATH; if ( $this->FM_PATH ! '' ) { $dest . '/' . $this->FM_PATH; } $dest . '/' . basename( $from ); $move isset( $_GET ) ? sanitize_text_field( wp_unslash( $_GET ) ) : ''; $move $this->fm_clean_path( urldecode( $move ) ); if ( $from ! $dest ) { $msg_from trim( $this->FM_PATH . '/' . basename( $from ), '/' ); if ( $move ) { $rename $this->fm_rename( $from, $dest ); Who has access to the function? Anyone. That is despite only Administrators being intended to have access. The reason that is the case can be seen by looking at the code that Wordfence didn't show people. The function handle_actions() gets called by the function class_init() if the URL parameter "page" is set to "wp-mastertoolkit-settings-file-manager": public function class_init() { $this->header_title esc_html__( 'File Manager', 'wpmastertoolkit' ); //phpcs:ignore WordPress.Security.NonceVerification.Recommended if ( ! isset( $_GET ) || $_GET ! 'wp-mastertoolkit-settings-file-manager' ) { return; } if ( ! headers_sent() && ! session_id() ) { session_start(); } $this->handle_actions(); That gets called during "init" so it runs when accessing any WordPress page: add_action( 'init', array( $this, 'class_init' ) ); So anyone can access the code by simply appending "?pagewp-mastertoolkit-settings-file-manager" to the URL of the homepage of a website using the plugin. There is an additional condition for the code to be accessible that Wordfence neglected to mention for some reason. The plugin's File Manager module has to be enabled. It is disabled by default.

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: WPMasterToolKit

Wordfence and WordPress Miss That Insecure Code in WordPress Plugin is Still Insecure