More than 300,000 sites at risk from exploit that could grant attackers full control of forums

Developers behind bbPress, a popular WordPress forum plugin, have patched a critical security vulnerability that could lead to unauthenticated privilege escalation.

Attackers who exploit the logic bug could grant themselves authorization to delete forum activities, import or export forum users, and create new forum moderators, according to the security researcher who discovered the flaw.

“By simply adding the bbp-forums-role parameter with the value of bbp_keymaster to the signup request, you can effectively make the newly created user a ‘Keymaster’ which is a forum administrator, gaining complete forum control,” explained Raphael Karger in a blog post published on May 29.

“I think that due to its ease of exploitation, it’s likely that it’s being mass exploited by folks creating backdoored users because once they create the user, regardless of if the site owners patch the plugin, the user will still be present,” the researcher told The Daily Swig.

However, he caveated the bug’s severity by pointing out that exploitation was conditional on user registration being enabled on a target site, and a BBPress registration form being embedded so that a nonce can be retrieved.

Meta discovery

Karger noticed something was awry with the bbPress plugin when he discovered that add_filter was being triggered on the signup_user_meta tag and passed into the bbp_user_add_role_to_signup_meta function, which is called during user registration.

In WordPress, add_filter serves as a ‘hook’ to change internal data at runtime, the researcher explained.

“This was interesting because according to the WordPress developer documentation signup_user_meta is a filter that’s used for role manipulation and adding user metadata properties during user signup,” he added.

“This means bbPress was altering the metadata roles of a user as the user registers. This really isn’t surprising as bbPress is forum software, and there’s a separation of roles for users, moderators, and administrators.”

Security update

Karger said he notified the bbPress team of the flaw on May 27 and they responded the same day.

The find earned him a bug bounty payout via the WordPress HackerOne program.

In his blog post, the researcher commended the bbPress team for being “very quick to issue a patch” for the open source forum software, which has more than 300,000 active installations.

“It was truly a pleasure working with WP and the bbPress devs,” Karger told The Daily Swig.

Issued on May 28, bbPress 2.6.5 successfully validates new roles in order to eliminate the flaw.

The release also remedied an authenticated privilege escalation bug exploitable via the Super Moderator feature, and a self-XSS vulnerability in the forums list table.

The bbPress team has urged anyone running bbPress 2.6 to update immediately.

Explaining why his report fell under the umbrella of the WordPress bug bounty program, Karger said that “due to a large amount of active installs and its management of users, it’s covered as a WordPress-critical target.”

Karger used Burp Suite to manually exploit the vulnerability and credited the discovery to a “white-box approach with the help of Nathan Hrncirik setting up a virtual WordPress environment”.

The Daily Swig has approached the bbPress team for further comment.


RELATED More than one million WordPress sites exposed through Page Builder plugin vulnerabilities