Quartet of critical web security flaws plague CMS software
UPDATED Multiple vulnerabilities in a popular WordPress plugin used to upload profile photos could allow an attacker to achieve remote code execution (RCE), researchers warn.
Four security issues, which were all assigned a high CVSS score of 9.8, were discovered in May by researchers from Wordfence.
These flaws made it possible for an attacker to escalate user privileges and upload malicious code – resulting in the complete takeover of a WordPress site.
The plugin in question is ProfilePress – formerly named WP User Avatar – which facilitates the uploading of WordPress user profile images. The technology has more than 40,000 installs, according to Wordfence.
Originally, as explained in an advisory from Wordfence, its only functionality was to upload photos, however a recent change saw the plugin augumented with new features including user login and registration.
It was flaws in the security of these feature updates that resulted in the vulnerabilities.
The first issue was a privilege escalation flaw. Wordfence explained: “During user registration, users could supply arbitrary user meta data that would get updated during the registration process.
“This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilties as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including administrator.”
There was no way to validate that user registration was enabled on the site, meaning users could register as an administrator even on sites where user registration was disabled.
Attackers could therefore “completely take over” a vulnerable WordPress site with little effort.
Next up comes a privilege escalation bug (CVE-2021-34622) in the user profile update functionality, which used the same method as above, but did require an attacker to have an account on a vulnerable site in order for the exploit to work.
“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence.
Another vulnerability present was arbitrary file upload in the image uploader component (CVE-2021-34623). The image uploader in ProfilePress was insecurely implemented using the exif_imagetype function to determine whether a file was safe or not.
An attacker could disguise a malicious file by uploading a spoof file which would bypass the exif_imagetype check.
This could be exploited to upload a webshell that would allow an attacker to RCE and run commands on a server, achieving complete site takeover.
Another arbitrary file upload vulnerability (CVE-2021-34624) in the plugin’s “custom fields” functionality, which also checks for malicious files, could be exploited to achieve RCE.
The researcher who discovered the bug used a tool called WPDirectory to search the WordPress plugin repository for specific lines of code.
Chloe Chamberland, Wordfence threat analyst, told The Daily Swig: “I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them.”
Chamberland explained that one of those new AJAX actions was a user registration endpoint, and once she had checked if any arbitrary user meta could be supplied, it led to the discovery of the privilege escalation vulnerability, which was a result of arbitrary user meta being accepted and updated.
“That eventually led to the discovery of the arbitrary file upload vulnerabilities since they were also associated with the user registration functionality,” she added.
The critical vulnerabilities were reported to WordPress on May 27, and a patch was released by May 30.
Wordfence said they “recommend that users immediately update to the latest version available” of WordPress, currently version 3.1.8. Vulnerable versions include 3.0-3.1.3.
“I didn’t have to report the issues to WordPress in this case, but rather I was able to work directly with the developer who responded within a few minutes of us reaching out,” Chamberland explained.
“This was an ideal case when it comes to reporting the security issues and working with the developer to get patches out.”
Aside from updating to the newest version, to protect against the vulnerabilities, she told The Daily Swig: “I would recommend looking for any rogue administrative user accounts in addition to checking or scanning for any uploaded PHP files in the /wp-content/uploads directory.
“If any rogue administrative accounts or malicious files are detected, then they should be removed immediately and a full site cleaning should be performed.”
This article has been updated to clarify which versions are vulnerable and to include comment from Wordfence