Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin

On March 3, 2020, our Threat intelligence team discovered a number of vulnerabilities in WP Lead Plus X, a WordPress plugin with over 70,000 installations designed to allow site owners to create landing and squeeze pages on their sites. These vulnerabilities allowed an authenticated attacker with minimal permissions, such as a subscriber, to create or completely replace any page on a site with their own page containing malicious JavaScript, defacement, or a redirect. Additionally, an unauthenticated attacker could also upload a malicious page template which, if used by an administrator running the premium version of the plugin, would execute malicious JavaScript in that administrator’s browser, potentially leading to site takeover.

We attempted to contact the plugin’s author the next day, on March 4, 2020, followed up on March 12, 2020, and privately sent the full vulnerability disclosure. The plugin’s author released a preliminary patch containing capability checks on March 15th. We followed up with them the next day as the patched version was still vulnerable to Cross-Site Request Forgery (CSRF), and were informed that a more complete patch would be forthcoming. More than 2 weeks later, and more than a month after our initial contact attempt, the complete patch is not yet available.

If this plugin is critical to your site’s functionality, we highly recommend updating to at least version 0.99 immediately as at least some of these security issues are patched in that version. Ideally, we recommend disabling and deleting this plugin until a more complete patch becomes available.

Wordfence Premium users received a new firewall rule on March 4, 2020 to protect against exploits targeting these vulnerabilities. Users still using the free version of Wordfence will receive this rule on April 3, 2020.


Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions: <= 0.98
CVE ID: CVE-2020-11508
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
CVSS Score: 9.1(Critical)
Patched Version: 0.99

WP Lead Plus X is a WordPress plugin that allows site owners to create custom landing and “squeeze” pages, complete with its own page builder interface capable of inserting custom JavaScript. Unfortunately, this page builder interface also relied on an unprotected AJAX function which lacked a capability check and a nonce check in order to save and update pages:

add_action('wp_ajax_core37_lp_save_page', 'core37_lp_save_page');

function core37_lp_save_page()
{
	$content = array();
	parse_str(file_get_contents("php://input"), $content);

	//pass the form ID to the editor
	echo Page_Manager::save_page($content);
	die();
}

As such, it was possible for a logged-in attacker with minimal permissions (such as a subscriber) to send a $_POST request to wp-admin/admin-ajax.php with the action parameter set to core37_lp_save_page along with the pageContent, pageSlug, pageTitle, and pageSettings parameters describing the page to be created. This included the page title, page slug, page content, and any JavaScript the attacker wanted to execute when the page loaded.

Worse yet, if a pageID parameter was sent with the ID of an existing page or post, that page or post would be completely replaced by the malicious page. This made it possible for an attacker to completely replace every single post or page on a site, including revision backups, with their own malicious content, with no way to revert other than restoring content from a database backup.

In addition to inserting malicious JavaScript, which on its own could be used to redirect visitors to malvertising sites or steal sensitive information, this vulnerability could be used to effectively turn any site running the plugin into a spam site.


Description: Unauthenticated Stored Cross-Site Scripting (XSS)
Affected Plugin: Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions: <= 0.98
CVE ID: CVE-2020-11509
CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 7.1(High)
Patched Version: 0.99

One of the features available to users who have paid for a license key for WP Lead Plus X is the ability to create and use “template” pages, which can be imported as a starting point when creating new pages. Although this feature is not visible if the plugin does not have a license key, it was still possible for an unauthenticated user to import a template containing malicious JavaScript. This was due to an admin_post action available to unprivileged visitors:

add_action('admin_post_nopriv_c37_wpl_import_template', array($this, 'c37_wpl_import_template'));

Additionally, the function called by this action lacked nonce or capability checks:

    public function c37_wpl_import_template()
    {
        if (isset($_FILES))
        {
            foreach($_FILES['files_name']['tmp_name'] as $tmpFile)
            {
                Template_Manager::importTemplateFromString(file_get_contents($tmpFile));
            }
        }

        wp_redirect($_POST['request_url'] . '&import=success');
    }

As such, it was possible for an unauthenticated attacker to upload a template by sending a $_POST request to wp-admin/admin-post.php, with the action parameter set to c37_wpl_import_template and a files_name[] parameter containing a maliciously crafted template file. If a site owner with a licensed copy of the plugin used this imported template to create a page, the malicious JavaScript would execute in their browser, potentially leading to site takeover.


Description: Cross-Site Request Forgery(CSRF)
Affected Plugin: Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions: <= 0.99
CVE ID: Pending
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
CVSS Score: 8.3(High)
Patched Version: N/A

As mentioned previously, none of the functions in this plugin use nonce checks, so it is possible for an attacker to perform any action that the plugin is capable of by tricking an administrator into clicking a specially crafted link designed to perform that action. This includes all the capabilities described above, including adding pages to the site, replacing site content with malicious JavaScript, and more.

What should I do?

This is an unusual situation in that the plugin has not yet been fully patched. It is still vulnerable to a CSRF attack. Additionally, firewalls (including the Wordfence Web Application Firewall) cannot protect a site against a CSRF attack as these attacks look like valid requests to your site. If you manage a site with this plugin installed, this means that the security of your site is precariously in your hands, and the hands of anyone with administrator rights to your site. CSRF attacks require the victim’s participation, usually by clicking a crafted link in an email. If this plugin is absolutely critical to your site’s functionality, we urge you to upgrade to the latest available version and exercise extreme caution when visiting any links, especially those sent to you in email messages. If you’re not actively using this plugin, we recommend disabling it and removing it until a more complete patch is available.

Disclosure Timeline

March 3, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities in the WP Lead Plus X plugin.
March 4, 2020 – Firewall rule released for Wordfence Premium users. Initial outreach to plugin developer.
March 12, 2020 – Followup with developer as no response was received. Developer confirms appropriate inbox for handling discussion. Full disclosure of vulnerabilities is sent.
March 15, 2020 – Plugin developer releases initial patch including capability checks.
March 16, 2020 – Followup with developer as patched version is still vulnerable to CSRF. Developer replies that a fix for CSRF issues is forthcoming.
April 3, 2020 – Firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post, we detailed two stored XSS vulnerabilities in the WP Lead Plus X plugin, as well as a CSRF vulnerability. The XSS flaws have been patched in version 0.99 and we recommend that users that rely on this plugin update to the latest version available immediately. The CSRF vulnerability has not yet been patched, and we recommend that users that can do so deactivate and delete this plugin until a more complete patch is available.

Sites running Wordfence Premium have been protected from attacks against the XSS vulnerabilities since March 4, 2020. Sites running the free version of Wordfence received the same firewall rule update on April 3, 2020.

The post Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin appeared first on Wordfence.

Read More

High Severity Vulnerability Leads to Closure of Plugin with Over 100,000 Installations

On April 1, 2020, the Wordfence Threat Intelligence team discovered a stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Datepicker, a WordPress plugin installed on over 100,000 sites. As the plugin developer’s github page indicated that the plugin was no longer being maintained, we contacted the WordPress plugins team with our disclosure, and they immediately removed the plugin from the repository for review. We also contacted the plugin’s developer and received a response verifying that they had no plans to maintain it and were satisfied with removing the plugin from the repository.

All Wordfence users, including Wordfence free and Wordfence Premium users, are protected from this vulnerability by the Wordfence Firewall’s built-in XSS protection. Nonetheless, we strongly recommend deactivating and removing this plugin.


Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: Contact Form 7 Datepicker
Plugin Slug: contact-form-7-datepicker
Affected Versions: <= 2.6.0
CVE ID: Will be updated once identifier is supplied.
CVSS Score: 7.4(High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: N/A

The Contact Form 7 Datepicker plugin allows users to add a datepicker to forms generated by Contact Form 7, and it includes the ability to modify settings for these datepickers. In order to process these settings, it registered an AJAX action calling a function that failed to include a capability check or a nonce check. As such, it was possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a crafted request containing malicious JavaScript which would be stored in the plugin’s settings.

The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administrator’s session or even create malicious administrative users.

What should I do?

Although all sites running the Wordfence Web Application Firewall should be protected against this vulnerability, we strongly recommend deactivating and removing the Contact Form 7 Datepicker plugin if it is installed on your site. If your site is running Wordfence, the scanner should alert you if any of your plugins are vulnerable, or have been removed from the WordPress repository. As the Contact Form 7 Datepicker plugin is no longer being maintained, it will likely not ever be patched, so it may be wise to search for an alternative plugin with similar functionality.

Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to prevent widespread exploitation. We will continue to monitor the situation and provide more details in a future update.

The post High Severity Vulnerability Leads to Closure of Plugin with Over 100,000 Installations appeared first on Wordfence.

Read More

Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin

On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. The second vulnerability allowed an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice.

We reached out to the plugin’s developer the next day, on March 24, 2020, and received a response within 24 hours. We privately disclosed the full vulnerability details on March 25, 2020, and the plugin developer released a patch on March 26, 2020. We strongly recommend updating to the latest version, 1.0.41.1, as soon as possible as this is considered a critical security issue.

Wordfence Premium customers received a new firewall rule on March 24, 2020, to protect against exploits targeting this vulnerability. Wordfence users still using the free version will receive the rule after thirty days on April 23, 2020.


Description: Privilege Escalation via Unprotected REST API Endpoint
Affected Plugin: WordPress SEO Plugin – Rank Math
Plugin Slug: seo-by-rank-math
Affected Versions: <= 1.0.40.2
CVE ID: Will be updated once identifier is supplied.
CVSS Score: 10.0 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 10.0.41

WordPress SEO Plugin – Rank Math is a WordPress plugin designed to assist with search engine optimization, and it has a number of features to make doing so easier, including the ability to update metadata on posts. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateMeta, which failed to include a permission_callback used for capability checking.

The vulnerable REST route:

		register_rest_route(
			$this->namespace,
			'/updateMeta',
			[
				'methods'  => WP_REST_Server::CREATABLE,
				'callback' => [ $this, 'update_metadata' ],
				'args'     => $this->get_update_metadata_args(),
			]
		);

The endpoint called a function, update_metadata which could be used to update the slug on existing posts, or could be used to delete or update metadata for posts, comments, and terms. This endpoint also allowed for updating metadata for users, leading to this critical vulnerability.

The update_metadata function:

	public function update_metadata( WP_REST_Request $request ) {
		$object_id   = $request->get_param( 'objectID' );
		$object_type = $request->get_param( 'objectType' );
		$meta        = $request->get_param( 'meta' );

		$new_slug = true;
		if ( isset( $meta['permalink'] ) && ! empty( $meta['permalink'] ) ) {
			$post     = get_post( $object_id );
			$new_slug = wp_unique_post_slug( $meta['permalink'], $post->ID, $post->post_status, $post->post_type, $post->post_parent );
			wp_update_post(
				[
					'ID'        => $object_id,
					'post_name' => $new_slug,
				]
			);
			unset( $meta['permalink'] );
		}

		$sanitizer = Sanitize::get();
		foreach ( $meta as $meta_key => $meta_value ) {
			if ( empty( $meta_value ) ) {
				delete_metadata( $object_type, $object_id, $meta_key );
				continue;
			}

			update_metadata( $object_type, $object_id, $meta_key, $sanitizer->sanitize( $meta_key, $meta_value ) );
		}

		return $new_slug;
	}

WordPress user permissions are stored in the usermeta table, which meant that an unauthenticated attacker could grant any registered user administrative privileges by sending a $_POST request to wp-json/rankmath/v1/updateMeta, with an objectID parameter set to the User ID to be modified, an objectType parameter set to user, a meta[wp_user_level] parameter set to 10, and a meta[wp_capabilities][administrator] parameter set to 1.

Alternatively, an attacker could completely revoke an existing administrator’s privileges by sending a similar request with a meta[wp_user_level] parameter and a meta[wp_capabilities] parameter set to empty values. Since many sites have a single administrator with a user ID of 1, this meant that an attacker could lock an administrator out of their own site.

Note that these attacks are only the most critical possibilities. Depending on the other plugins installed on a site, the ability to update post, term, and comment metadata could potentially be used for many other exploits such as Cross-Site Scripting (XSS).


Description: Redirect Creation via Unprotected REST API Endpoint
Affected Plugin: WordPress SEO Plugin – Rank Math
Plugin Slug: seo-by-rank-math
Affected Versions: <= 1.0.40.2
CVE ID: Will be updated once identifier is supplied.
CVSS Score: 7.4(High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H
Fully Patched Version: 10.0.41

The WordPress SEO Plugin – Rank Math plugin includes a number of optional modules, including a module that can be used to create redirects on a site. In order to add this feature, the plugin registered a REST-API endpoint, rankmath/v1/updateRedirection, which again failed to include a permission_callback for capability checking.

The vulnerable REST route:

		register_rest_route(
			$this->namespace,
			'/updateRedirection',
			[
				'methods'  => WP_REST_Server::CREATABLE,
				'callback' => [ $this, 'update_redirection' ],
			]
		);

The endpoint called a function, update_redirection, which could be used to create new redirects or modify existing redirects, with an important limitation. The redirect could not be set to an existing file or folder on the server, including the site’s main page. This limited the damage to some extent in that, while an attacker could create a redirect from most locations on the site, including new locations, or any existing post or page other than the homepage, they could not redirect visitors immediately upon accessing the site.

The update_redirection function:

	public function update_redirection( WP_REST_Request $request ) {
		$cmb     = new \stdClass;
		$metabox = new \RankMath\Redirections\Metabox;

		$cmb->object_id    = $request->get_param( 'objectID' );
		$cmb->data_to_save = [
			'has_redirect'            => $request->get_param( 'hasRedirect' ),
			'redirection_id'          => $request->get_param( 'redirectionID' ),
			'redirection_url_to'      => $request->get_param( 'redirectionUrl' ),
			'redirection_sources'     => \str_replace( home_url( '/' ), '', $request->get_param( 'redirectionSources' ) ),
			'redirection_header_code' => $request->get_param( 'redirectionType' ) ? $request->get_param( 'redirectionType' ) : 301,
		];

		if ( false === $request->get_param( 'hasRedirect' ) ) {
			unset( $cmb->data_to_save['redirection_url_to'] );
		}

		if ( empty( $request->get_param( 'redirectionID' ) ) ) {
			unset( $cmb->data_to_save['redirection_id'] );
		}

		return $metabox->save_advanced_meta( $cmb );
	}

In order to perform this attack, an unauthenticated attacker could send a $_POST request to rankmath/v1/updateRedirection with a redirectionUrl parameter set to the location they wanted the redirect to go to, a redirectionSources parameter set to the location to redirect from, and a hasRedirect parameter set to true. This attack could be used to prevent access to all of a site’s existing content, except for the homepage, by redirecting visitors to a malicious site.

Protecting REST-API Endpoints

The REST-API functionality in WordPress provides great flexibility for plugin developers. Of course, with that flexibility comes great responsibility. If your plugin is using the REST-API, make sure to include a permission_callback on any endpoints you don’t want to be available to the public, though be aware this also requires that a valid wp_rest nonce be generated and sent with any requests to the protected endpoint.

Disclosure Timeline

March 23, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities.
March 24, 2020– Initial contact with the plugin’s developer team. Firewall rule released for Wordfence Premium users.
March 25, 2020 – Plugin developer confirms appropriate inbox for handling discussion. Full vulnerability disclosure sent.
March 26, 2020 – Patched version of plugin released.
April 23, 2020 – Firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post, we discussed 2 vulnerabilities caused by unprotected REST API endpoints in the WordPress SEO Plugin – Rank Math plugin. These vulnerabilities have been fully patched in version 10.0.41, and we strongly recommend that all users of this plugin upgrade to the latest version available immediately. Sites running Wordfence Premium have been protected against these vulnerabilities since March 24, 2020. Sites running the free version of Wordfence will receive the firewall rule update on April 23, 2020.

Special thanks to the developers of WordPress SEO Plugin – Rank Math for their rapid response and exemplary handling of our disclosure.

The post Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin appeared first on Wordfence.

Read More

Vulnerabilities Patched in IMPress for IDX Broker

On February 28, 2020, the Wordfence Threat Intelligence team became aware of a newly patched stored Cross-Site Scripting (XSS) vulnerability in IMPress for IDX Broker, a WordPress plugin with over 10,000 installations. Although all Wordfence users, including those still using the free version of Wordfence, were already protected from this vulnerability by the Web Application Firewall’s built-in XSS protection, we investigated the plugin further and discovered an additional stored XSS vulnerability. We also found a flaw that would allow an authenticated attacker with minimal, subscriber-level permissions to permanently delete any page or post on the site, in addition to creating pages with arbitrary titles.

We initially reached out to the plugin’s vendor the same day, on February 28, 2020, but received no response over an extended period of time. On March 19, 2020, after notifying the WordPress plugin team, we received a response from the plugin’s developer, at which time we sent the full disclosure details. A fully patched version was released on March 23, 2020, and we recommend updating to the latest version, 2.6.2, immediately.

Wordfence Premium users received a new firewall rule on March 2nd to protect against exploits targeting these vulnerabilities. Free Wordfence users will receive this rule on April 1, 2020.


Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: IMPress for IDX Broker
Plugin Slug: idx-broker-platinum
Affected Versions: <= 2.6.1
CVE ID: Pending
CVSS Score: 7.4 (high)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 2.6.2

The IMPress for IDX Broker plugin contains a captcha feature to prevent spam submissions. Since it uses Google’s ReCAPTCHA service, it requires an API key. Unfortunately, the AJAX action the plugin registered to update this API key did not use capability checks or nonce checks.

This made it  possible for a logged-in attacker with minimal permissions, such as a subscriber, to send a request to wp-admin/admin-ajax.php with the action parameter set to idx_update_recaptcha_key and the idx_recaptcha_site_key parameter set to a malicious JavaScript, which could then be executed in an administrator’s browser the next time they visited the plugin’s settings panel.

As with most attacks taking advantage of stored XSS in admin areas, this could be used to make use of the administrator’s session in order to create a new, malicious administrative user.

The AJAX action:

add_action( 'wp_ajax_idx_update_recaptcha_key', array( $this, 'idx_update_recaptcha_key' ) );

The vulnerable function:

	public function idx_update_recaptcha_key() {
		if ( $_POST['idx_recaptcha_site_key'] ) {
			update_option( 'idx_recaptcha_site_key', $_POST['idx_recaptcha_site_key'], false );
			echo 1;
		} else {
			delete_option( 'idx_recaptcha_site_key' );
			echo 'error';
		}
		die();
	}

Description: Authenticated Post Creation, Modification, and Deletion
Affected Plugin: IMPress for IDX Broker
Plugin Slug: idx-broker-platinum
Affected Versions: <= 2.6.1
CVE ID: CVE-2020-9514
CVSS score: 8.1(high)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Fully Patched Version: 2.6.2

One of the features included with the IDX Broker plugin is the ability to create and delete “dynamic pages,” intended to ensure that any IDX pages match the site’s style and branding.

The plugin registers 2 AJAX actions that are used to do this:

add_action( 'wp_ajax_create_dynamic_page', array( $this, 'idx_ajax_create_dynamic_page' ) );
add_action( 'wp_ajax_delete_dynamic_page', array( $this, 'idx_ajax_delete_dynamic_page' ) );

Once again, neither of the functions called by these AJAX actions used capability checks or nonce checks. As such it was possible for an authenticated attacker with minimal, subscriber-level, permissions to send a request to wp-admin/admin-ajax.php with the action parameter set to create_dynamic_page and the post_title parameter set to any arbitrary value. In return, a new dynamic page with that title would be created.

If a wrapper_page_id parameter was included and set to the ID of an existing post or page, that post or page would be replaced with a blank wrapper page:

	public function idx_ajax_create_dynamic_page() {

		// default page content
		$post_content = $this->does_theme_include_idx_tag();

		$post_title = $_POST['post_title'] ? $_POST['post_title'] : 'Properties';
		$new_post   = array(
			'post_title'   => $post_title,
			'post_name'    => $post_title,
			'post_content' => $post_content,
			'post_type'    => 'idx-wrapper',
			'post_status'  => 'publish',
		);
		if ( $_POST['wrapper_page_id'] ) {
			$new_post['ID'] = $_POST['wrapper_page_id'];
		}
		$wrapper_page_id = wp_insert_post( $new_post );
		update_option( 'idx_broker_dynamic_wrapper_page_name', $post_title, false );
		update_option( 'idx_broker_dynamic_wrapper_page_id', $wrapper_page_id, false );
		$wrapper_page_url = get_permalink( $wrapper_page_id );
		$this->idx_api->set_wrapper( 'global', $wrapper_page_url );
		update_post_meta( $wrapper_page_id, 'idx-wrapper-page', 'global' );

		die(
			json_encode(
				array(
					'wrapper_page_id'   => $wrapper_page_id,
					'wrapper_page_name' => $post_title,
				)
			)
		);
	}

Alternatively, if the attacker set the action parameter to delete_dynamic_page and sent a wrapper_page_id parameter with the ID of an existing post or page, then that post or page would be permanently deleted:

	public function idx_ajax_delete_dynamic_page() {
		if ( $_POST['wrapper_page_id'] ) {
			wp_delete_post( $_POST['wrapper_page_id'], true );
			wp_trash_post( $_POST['wrapper_page_id'] );
		}
		die();
	}

Disclosure Timeline

February 28, 2020 – Our Threat Intelligence team discovers and analyzes vulnerabilities in the IMPress for IDX Broker plugin while reviewing a recently patched vulnerability. We attempt to make contact with the plugin vendor.
March 2, 2020 – Firewall rule released for Wordfence Premium users.
March 19, 2020 – After followup with WordPress.org plugin team, plugin vendor confirms appropriate mailbox, and we provide them with full disclosure.
March 23, 2020 – Fully patched version becomes available.
April 1, 2020 – Firewall rule becomes available to Wordfence free users.

Conclusion

In today’s post, we detailed several vulnerabilities including stored XSS and Post creation, modification, and deletion found in the IMPress for IDX Broker plugin. These flaws have been patched in version 2.6.2, and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since March 2, 2020. Sites running the free version of Wordfence received the firewall rule update on April 1, 2020.

The post Vulnerabilities Patched in IMPress for IDX Broker appeared first on Wordfence.

Read More

Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites

On March 4th, our Threat Intelligence team discovered several vulnerabilities in Popup Builder, a WordPress plugin installed on over 100,000 sites. One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded. The other vulnerability allowed any logged-in user, even those with minimal permissions such as a subscriber, to export a list of all newsletter subscribers, export system configuration information, and grant themselves access to various features of the plugin.

We privately disclosed these issues to the plugin’s author, who responded within a few hours. We worked with the developer over the course of a week to ensure the vulnerabilities were fully patched.

We highly recommend updating to the latest version, 3.64.1, immediately. Wordfence Premium customers received a new firewall rule on March 5, 2020 to protect against exploits targeting these vulnerabilities. Free Wordfence users will receive the rule after thirty days, on April 4, 2020.


Description: Unauthenticated Stored Cross-Site Scripting (XSS)
Affected Plugin:  Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
Plugin Slug: popup-builder
Affected Versions: <= 3.63
CVE ID: CVE-2020-10196
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 3.64.1

The Popup Builder plugin allows the creation of various popups on a WordPress site, which includes the ability to run custom Javascript when a popup is loaded. It registered an AJAX hook, wp_ajax_nopriv_sgpb_autosave, intended to allow auto-saving of draft popups.

add_action('wp_ajax_nopriv_sgpb_autosave', array($this, 'sgpbAutosave'));

Unfortunately, this hook was available to unprivileged users, and the function it called lacked nonce checks or capability checks. This meant that an unauthenticated attacker could send a POST request to wp-admin/admin-ajax.php with an array parameter, ‘allPopupData’, containing a number of key-value pairs including a popup’s ID (visible in the page source) and a malicious JavaScript payload, which would then be saved in that popup’s settings and executed whenever a visitor navigated to a page where the popup was displayed.

	public function sgpbAutosave()
	{
		$popupId = @(int)$_POST['post_ID'];
		$postStatus = get_post_status($popupId);
		if ($postStatus == 'publish') {
			echo '';
			wp_die();
		}

		if (!isset($_POST['allPopupData'])) {
			echo true;
			wp_die();
		}
		$popupData = SGPopup::parsePopupDataFromData($_POST['allPopupData']);
		do_action('save_post_popupbuilder');
		$popupType = $popupData['sgpb-type'];
		$popupClassName = SGPopup::getPopupClassNameFormType($popupType);
		$popupClassPath = SGPopup::getPopupTypeClassPath($popupType);
		if (file_exists($popupClassPath.$popupClassName.'.php')) {
			require_once($popupClassPath.$popupClassName.'.php');
			$popupClassName = __NAMESPACE__.'\\'.$popupClassName;
			$popupClassName::create($popupData, '_preview', 1);
		}

		wp_die();
	}

Note the lack of nonce and permission checks in this function. The function does attempt to prevent changes being saved to any popup in ‘publish’ status. However, if no ‘post_ID’ parameter is supplied, this check will be bypassed and the post id supplied in the ‘allPopupData’ parameter will be updated instead.

Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in.


Description: Authenticated Settings Modification, Configuration Disclosure, and User Data Export
Affected Plugin:  Popup Builder – Responsive WordPress Pop up – Subscription & Newsletter
Plugin Slug: popup-builder
Affected Versions: <= 3.63
CVE ID: CVE-2020-10195
CVSS Score: 6.3 (Medium)
CVSS Vector:  CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Fully Patched Version: 3.64.1

In addition to a stored XSS vulnerability, Popup Builder also had a set of vulnerabilities that could be exploited by logged-in users with minimal permissions, such as subscribers. The vulnerable actions included:

add_action('admin_post_csv_file', array($this, 'getSubscribersCsvFile'));
add_action('admin_post_sgpb_system_info', array($this, 'getSystemInfoFile'));
add_action('admin_post_sgpbSaveSettings', array($this, 'saveSettings'), 10, 1);

By sending a $_POST request to admin-post.php with the ‘action’ parameter set to ‘sgpbSaveSettings’ and the ‘sgpb-user-roles[]’ parameter set to ‘subscriber’, an attacker could grant all subscriber-level users (including themselves) a number of permissions related to the plugin’s functionality. In addition to granting access to create and manage categories and newsletters, this would allow an attacker to make use of other AJAX functions that were protected by nonces, but not by capability checks, since usable nonces were displayed on these pages.

The vulnerable function code:

	public function saveSettings()
	{
		$postData = $_POST;
		$deleteData = 0;

		if (isset($postData['sgpb-dont-delete-data'])) {
			$deleteData = 1;
		}
		$userRoles = @$postData['sgpb-user-roles'];

		update_option('sgpb-user-roles', $userRoles);
		update_option('sgpb-dont-delete-data', $deleteData);

		wp_redirect(admin_url().'edit.php?post_type='.SG_POPUP_POST_TYPE.'&page='.SG_POPUP_SETTINGS_PAGE);
	}

Alternatively, a $_POST request could be sent to admin-post.php with the ‘action’ parameter set to ‘csv_file’, making it possible to export a list of newsletter subscribers. As a result, an attacker could gain access to sensitive newsletter subscriber information and use this during a social engineering attack against those subscribers.

The vulnerable function code:

	public function getSubscribersCsvFile()
	{
		global $wpdb;
		$query = AdminHelper::subscribersRelatedQuery();
		if (isset($_GET['orderby']) && !empty($_GET['orderby'])) {
			if (isset($_GET['order']) && !empty($_GET['order'])) {
				$query .= ' ORDER BY '.esc_sql($_GET['orderby']).' '.esc_sql($_GET['order']);
			}
		}
		$content = '';
		$exportTypeQuery = '';
		$rows = array('first name', 'last name', 'email', 'date', 'popup');
		foreach ($rows as $value) {
			$content .= $value;
			if ($value != 'popup') {
				$content .= ',';
			}
		}
		$content .= "\n";
		$subscribers = $wpdb->get_results($query, ARRAY_A);

		$subscribers = apply_filters('sgpbSubscribersCsv', $subscribers);

		foreach($subscribers as $values) {
			foreach ($values as $key => $value) {
				$content .= $value;
				if ($key != 'subscriptionTitle') {
					$content .= ',';
				}
			}
			$content .= "\n";
		}

		$content = apply_filters('sgpbSubscribersContent', $content);

		header('Pragma: public');
		header('Expires: 0');
		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
		header('Cache-Control: private', false);
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=subscribersList.csv;');
		header('Content-Transfer-Encoding: binary');
		echo $content;
	}

Furthermore, the ‘action’ parameter could be changed to ‘sgpb_system_info’ and reveal potentially sensitive system configuration information, including all installed plugins and their activation status. This data could be used by an attacker to craft a more sophisticated attack against a target site. If another vulnerable plugin was installed on the site, an attacker could discover this and attempt to escalate their attack by exploiting it.

The vulnerable function code:

	public function getSystemInfoFile()
	{
		$content = AdminHelper::getSystemInfoText();

		header('Pragma: public');
		header('Expires: 0');
		header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
		header('Cache-Control: private', false);
		header('Content-Type: application/octet-stream');
		header('Content-Disposition: attachment; filename=popupBuilderSystemInfo.txt;');
		header('Content-Transfer-Encoding: binary');

		echo $content;
	}

Disclosure Timeline

March 4, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities in the Popup Builder plugin.
March 5, 2020 – Firewall rule released for Wordfence Premium users. Initial outreach to plugin vendor. Plugin vendor responds within a few hours, and we send over the full vulnerability report.
March 6, 2020 – Plugin vendor sends patched version to us for review. Additional guidance provided to strengthen security.
March 11, 2020 – Fully patched version released.
April 4, 2020 – Firewall rule available to free users.

Conclusion

In today’s post, we detailed several vulnerabilities including unauthenticated stored XSS, settings modification, configuration disclosure, and user data export found in the Popup Builder plugin. These flaws have been patched in version 3.64.1 and we recommend that users update to the latest version available immediately. While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover. Sites running Wordfence Premium have been protected from attacks against these vulnerabilities since March 5, 2020. Sites running the free version of Wordfence will receive the same firewall rule update on April 4, 2020.

The post Vulnerabilities Patched in Popup Builder Plugin Affecting over 100,000 Sites appeared first on Wordfence.

Read More

Active Attack on Zero Day in Custom Searchable Data Entry System Plugin

The Wordfence Threat Intelligence team is tracking a series of attacks against an unpatched vulnerability in the Custom Searchable Data Entry System plugin for WordPress. The estimated 2,000+ sites running the plugin are vulnerable to Unauthenticated Data Modification and Deletion, including the potential to delete the entire contents of any table in a vulnerable site’s database.

We have reached out to the plugin developer, however the plugin does not appear to be actively maintained. The last update occurred approximately one year ago.

We have released a firewall rule to protect against exploitation of this flaw. Wordfence Premium users have received this rule already, and users still on the free version of Wordfence will receive the rule in 30 days.

Attackers are currently abusing this exploit. As such, if you are not using Wordfence Premium, we recommend that you deactivate and delete this plugin from your sites and look for an alternative as a patch is not currently available.

The vulnerability in this plugin is being actively exploited, and the Wordfence Threat Intelligence team has seen over 10,000 active exploit attempts over the last few days in our attack data.

We are not disclosing further details about this vulnerability until we can determine feasibility of a fix by the plugin author.

Why We Are Disclosing Today

There is an active attack campaign underway that is targeting WordPress websites and exploiting this vulnerability. We made the decision to disclose the existence of this vulnerability now so that the global WordPress community can take steps to protect themselves immediately.

Special thanks to our Director of Threat Intelligence, Sean Murphy, who discovered the attack.

The post Active Attack on Zero Day in Custom Searchable Data Entry System Plugin appeared first on Wordfence.

Read More

Multiple Vulnerabilities Patched in RegistrationMagic Plugin

On February 24th, our Threat Intelligence team discovered several critical vulnerabilities in Registration Magic, a WordPress plugin installed on over 10,000 sites, including the vendor’s own site.

These allowed an attacker with subscriber-level permissions to elevate their account’s privileges to those of an administrator and to export every form on the site, including all the data that had been submitted to them in the past. Additionally, through a number of unprotected AJAX actions, an attacker with subscriber-level permissions could send arbitrary emails, import a custom vulnerable form, replace an existing form with their uploaded form, and use the vulnerable form to register a new administrative user. Finally, none of the administrative functions used by the plugin included nonce checks, making the plugin vulnerable to cross-site request forgery (CSRF) attacks – it was possible for an attacker to forge requests on behalf of an administrator to update any of the plugin’s settings.

We privately disclosed these issues to the plugin’s author, who released a patch 2 days after receiving our full report. Wordfence Premium users received a new firewall rule on February 25th to protect against exploits targeting these vulnerabilities. Free Wordfence users will receive this rule on March 26, 2020.


Description: Authenticated Privilege Escalation
Affected Plugin: RegistrationMagic – Custom Registration Forms and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 4.6.0.3
CVE ID: CVE-2020-9456
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9(Critical)
Patched Version: 4.6.0.4

The Registration Magic plugin allows WordPress users to create customized registration forms, track registration submissions, manage users, analyze stats and assign user roles, as well as accept payments.

While quite powerful, there are a number of functions in the plugin used for administrative purposes that are not protected by capability checks or nonces, all of which are processed using custom forms generated by the plugin. Additionally, the plugin automatically creates and publishes a page upon activation, accessible to subscribers at /rm_submissions. This page is intended to allow users to view their previous form submissions, but it could also be used to render and process forms that were only intended to be accessed by administrators. Sending a request to this page with the ‘rm_slug’ $_POST parameter set to ‘rm_user_edit’ and the ‘user_id’ parameter set to the user’s ID (which can typically be obtained from the user’s profile page) caused the plugin to generate a form which could be used to change the user’s role to administrator. Unfortunately, this form didn’t use a capability check or a nonce, so it could be used by a subscriber to update their own role to administrator.

    public function edit($model, RM_User_Services $service, $request, $params)
    {
        if (isset($request->req['user_id']))
        {
            if ($this->mv_handler->validateForm("rm_edit_user"))
            {
                if (isset($request->req['user_password']) && isset($request->req['user_password_conf']))
                {
                    if ($request->req['user_password'] && $request->req['user_password_conf'] && $request->req['user_id'])
                        $service->reset_user_password($request->req['user_password'], $request->req['user_password_conf'], $request->req['user_id']);
                    $service->set_user_role($request->req['user_id'], $request->req['user_role']);

Description: CSRF to Settings Modification
Affected Plugin: RegistrationMagic – Custom Registration Forms and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 4.6.0.3
CVE ID: CVE-2020-9454
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 8.0(High)
Patched Version: 4.6.0.4

Not only did the Registration Magic plugin fail to check nonces in the previously mentioned vulnerability, it actually did not check nonces for any of its functionality, including the forms used to save changes to the plugin settings. As such it was possible for an attacker to forge a crafted request on behalf of a site administrator in order to modify the plugin’s settings, which included the ability to delete existing users or add new user roles. It could even be used to allow forms to accept php files, which could then be used to upload a backdoor which could allow an attacker full control over the WordPress site.


Description: Authenticated Email Injection
Affected Plugin: RegistrationMagic – Custom Registration Forms and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 4.6.0.3
CVE ID: CVE-2020-9455
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS Score: 6.4(Medium)
Patched Version: 4.6.0.4

In addition to allowing a subscriber to elevate their privileges, the Registration Magic plugin also allowed a subscriber to send emails from the site to any email address, with a subject and body of their choice. This could be used to send spam, but this flaw would also make tricking a site  administrator into clicking a link in order to perform a CSRF attack much easier. This functionality actually used an unprotected AJAX action, which is an extremely common attack vector in WordPress. Although it was only available to subscribers, much of the plugin’s functionality was geared towards an improved user experience for subscribers, so this was a surprising oversight.

$this->loader->add_action('wp_ajax_send_email_user_view', new RM_User_Services(), 'send_email_ajax');
    public static function send_email_ajax()
    {
        $to = $_POST['to'];
        $sub = $_POST['sub'];
        $body = $_POST['body'];
        
        RM_Utilities::quick_email($to, $sub, $body);
        
        wp_die();
    }

As you can see, the ‘send_email_ajax’ function doesn’t use any capability or nonce checks, so any logged-in user could use it to send email from the site.


Description: Authenticated Settings and User Data Export
Affected Plugin: RegistrationMagic – Custom Registration Forms and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 4.6.0.3
CVE ID: CVE-2020-9458
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 4.3(Medium)
Patched Version: 4.6.0.4

Using the same /rm_submissions endpoint as the authenticated privilege escalation vulnerability, a logged-in attacker could also send a request with the ‘rm_slug’ $_POST parameter set to ‘rm_form_export’, which caused the plugin to export every form on the site, including everything that had ever been submitted to any of these forms (though this did not include login credentials). Again, the export function lacked access control or a nonce check, and in addition to exposing potentially sensitive information, an attacker could use the exported form data to launch yet another type of attack. For those sites with sensitive personally identifiable user information, such as commerce sites, this vulnerability was particularly concerning.

*The vulnerable function has more than 230 lines of code. For brevity,  we’re not showing it here, but it is available to review in the plugin repository.


Description: Authenticated Settings Import -> Privilege Escalation
Affected Plugin: RegistrationMagic – Custom Registration Forms and User Login
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 4.6.0.3
CVE ID: CVE-2020-9457
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 8.0(High)
Patched Version: 4.6.0.4

There was one more method an attacker could use to create an administrator, though it took a bit more work and a few more steps. One of the more advanced features of the Registration Magic plugin allowed the creation of forms that saved user-submitted content directly into the usermeta table in the site’s database. While this functionality was intended to store additional metadata about the user, this table is also used to store a user’s permissions, using the wp_user_level and wp_capabilities keys, and a custom form could be created to modify the contents of these keys. Another advanced feature was the ability to make forms “expire” after a certain date or number of submissions, and to automatically substitute a different form at that time.

Unfortunately, thanks to more unprotected AJAX actions, an attacker could upload a customized “vulnerable” registration form. They could then use the data export vulnerability to grab the information they needed to launch the next step: by using yet another unprotected AJAX action, they could set an existing form on the site to expire after 0 submissions, and replace it with their newly uploaded form. Once the vulnerable form was active, the attacker could register as an administrator.

If no forms were published, but the plugin’s “Magic Button” functionality was enabled, an attacker could also use an unprotected AJAX action to set their uploaded form as the “Default” form, which could be submitted from anywhere on the site.

The registered AJAX actions:

$this->loader->add_action('wp_ajax_rm_save_form_view_sett', new RM_Form_Settings_Controller(), 'view');
$this->loader->add_action('wp_ajax_set_default_form', 'RM_Utilities', 'set_default_form');
$this->loader->add_action('wp_ajax_import_first', 'RM_Services', 'import_form_first_ajax');
$this->loader->add_action('wp_ajax_rm_admin_upload_template', $rm_admin, 'upload_template'); 

The vulnerable functions – note the lack of capability checks and nonce checks:

    public function upload_template(){
       if($_FILES){
               $name=get_temp_dir().'RMagic.xml';
               if(is_array($_FILES['file']['tmp_name']))
               $status= move_uploaded_file ( $_FILES['file']['tmp_name']['0'] , $name );
               else
               $status= move_uploaded_file ( $_FILES['file']['tmp_name'], $name );    
               echo json_encode(array('success'=>$status));
        }
    public static function import_form_first_ajax() {
        $form_id = null;
        if (isset($_POST['form_id'])) {
            $form_id = $_POST['form_id'];
        }        
        echo self::import_form_first(null, $form_id);
        wp_die();
    }
    function view($model=null, $service=null, $request=null, $params=null) {
        if (!$request instanceof RM_Request) {
            $postdata = file_get_contents("php://input");
            $request = json_decode($postdata);
            if(isset($request->form_id) && (int)$request->form_id){
                $model = new RM_Forms;
                $model->load_from_db($request->form_id);
                $model->set((array)$request);
                $model->update_into_db();
                echo 'saved';
    public static function set_default_form() {
        if (isset($_POST['rm_def_form_id'])) {
            $gopts = new RM_Options;
            $gopts->set_value_of('default_form_id', $_POST['rm_def_form_id']);
        }
        die;
    }

Disclosure Timeline

February 21, 2020 – Lower-severity vulnerabilities discovered with indications that higher-severity vulnerabilities might be present.
February 24, 2020 – Higher-Severity vulnerabilities discovered and analyzed.
February 25, 2020 – Firewall rule released for Wordfence Premium users. Initial outreach to plugin vendor.
February 26, 2020 – Vendor confirms appropriate inbox for handling discussion. Full disclosure of vulnerabilities is sent.
February 28, 2020 – Vendor releases an update patching vulnerabilities.
March 26th, 2020 – Firewall rule becomes available to free users.

Conclusion

In today’s post, we detailed several vulnerabilities including CSRF, email injection, and privilege escalation found in the Registration Magic plugin. These flaws have been patched in version 4.6.0.4, and we recommend that users update to the latest version available immediately. While we have not detected any malicious activity targeting Registration Magic, some of these vulnerabilities are severe enough to allow complete site takeover. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 25th. Sites running the free version of Wordfence will receive the same firewall rule update on March 26th, 2020.

 

The post Multiple Vulnerabilities Patched in RegistrationMagic Plugin appeared first on Wordfence.

Read More