Security Experts:

Connect with us

Hi, what are you looking for?



WordPress Patches Privilege Escalation Vulnerabilities

Privilege escalation vulnerabilities in WordPress allow attackers to access features that were intended for administrators only, RIPS Tech security researchers say. 

Privilege escalation vulnerabilities in WordPress allow attackers to access features that were intended for administrators only, RIPS Tech security researchers say. 

An attacker with a user role as low as contributor on WordPress – the free and open-source content management system based on PHP and MySQL – could exploit the security bugs to create posts of post types they usually should not have access to. 

The root cause of the issue is a logic flaw in the manner in which WordPress creates blog posts, the researchers say. This leads to a Stored XSS and Object Injection in the WordPress core, as well as to more severe vulnerabilities in the popular WordPress plugins Contact Form 7 and Jetpack.

Being blogging software at the core, WordPress supports the creation and publishing of different post types and also allows plugins to register new post types, to provide unique and new features. Access to registered post types can be restricted to administrators only, thus mitigating security risks. 

However, RIPS discovered that the security checks implemented by WordPress could be bypassed to create posts of any type and misuse the features of custom post types. Furthermore, depending on the installed plugins, more severe vulnerabilities can be exploited, the researchers say. 

“When for example WordPress’s most popular plugin, Contact Form 7, which has over 5 million active installs, was used, attackers were able to read the database credentials of the target WordPress site. Most of the top WordPress plugins are vulnerable to this privilege escalation,” RIPS explains. 

When a user attempts to create or update a post, WordPress checks which operation the user wants to perform, the post type the user is trying to create, and whether they are allowed to use that post type. The last step is performed by verifying a nonce that can be obtained from the editor page of the post type in question.

What the researchers discovered was that a malicious user in the contributor role does not have access to the page and nonce of the example post type, but can get the nonce of a normal post, which has the internal post type post. Thus, they could set the post ID to a post with the post type post and bypass the nonce verification. 

While this would only allow the attacker to update an existing post, it does not allow them to change the post type. However, this only happens if a specific parameter is used, and WordPress does not check the presence of a second parameter, thus allowing an attacker to pass the nonce verification and create a new post with an arbitrary post type. 

A lower privileged user can create posts of any type, but the impact on a target site is influenced by the plugins installed and the features the post types that come with the installed plugins offer. Thus, an attacker could abuse the bug in Contact Form 7 to read the contents of the wp-config.php file of the target site. 

Because the plugin allowed setting local file attachments, an attacker could “create a new contact form, set the local file attachment to ../wp-config.php and set the email to which the data should be sent to his own, submit the form and then read the contents of the most important WordPress file,” the researchers explain.

According to RIPS, thousands of plugins are potentially vulnerable to such attacks. Additionally, one of WordPress’s internal post types is impacted by a Stored XSS and Object Injection, which could result in an attacker taking over the site.

Related: Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress

Related: Unpatched WordPress Flaw Leads to Site Takeover, Code Execution

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet