Privilege escalation vulnerabilities in WordPress allow attackers to access features that were intended for administrators only, RIPS Tech security researchers say.
An attacker with a user role as low as contributor on WordPress – the free and open-source content management system based on PHP and MySQL – could exploit the security bugs to create posts of post types they usually should not have access to.
The root cause of the issue is a logic flaw in the manner in which WordPress creates blog posts, the researchers say. This leads to a Stored XSS and Object Injection in the WordPress core, as well as to more severe vulnerabilities in the popular WordPress plugins Contact Form 7 and Jetpack.
Being blogging software at the core, WordPress supports the creation and publishing of different post types and also allows plugins to register new post types, to provide unique and new features. Access to registered post types can be restricted to administrators only, thus mitigating security risks.
However, RIPS discovered that the security checks implemented by WordPress could be bypassed to create posts of any type and misuse the features of custom post types. Furthermore, depending on the installed plugins, more severe vulnerabilities can be exploited, the researchers say.
“When for example WordPress’s most popular plugin, Contact Form 7, which has over 5 million active installs, was used, attackers were able to read the database credentials of the target WordPress site. Most of the top WordPress plugins are vulnerable to this privilege escalation,” RIPS explains.
When a user attempts to create or update a post, WordPress checks which operation the user wants to perform, the post type the user is trying to create, and whether they are allowed to use that post type. The last step is performed by verifying a nonce that can be obtained from the editor page of the post type in question.
What the researchers discovered was that a malicious user in the contributor role does not have access to the page and nonce of the example post type, but can get the nonce of a normal post, which has the internal post type post. Thus, they could set the post ID to a post with the post type post and bypass the nonce verification.
While this would only allow the attacker to update an existing post, it does not allow them to change the post type. However, this only happens if a specific parameter is used, and WordPress does not check the presence of a second parameter, thus allowing an attacker to pass the nonce verification and create a new post with an arbitrary post type.
A lower privileged user can create posts of any type, but the impact on a target site is influenced by the plugins installed and the features the post types that come with the installed plugins offer. Thus, an attacker could abuse the bug in Contact Form 7 to read the contents of the wp-config.php file of the target site.
Because the plugin allowed setting local file attachments, an attacker could “create a new contact form, set the local file attachment to ../wp-config.php and set the email to which the data should be sent to his own, submit the form and then read the contents of the most important WordPress file,” the researchers explain.
According to RIPS, thousands of plugins are potentially vulnerable to such attacks. Additionally, one of WordPress’s internal post types is impacted by a Stored XSS and Object Injection, which could result in an attacker taking over the site.