Exploiting authorization by nonce in WordPress plugins
Vulnerabilities in WordPress plugins arise from nonce misuse, leading to privilege escalation. Critical issues include RCE in Advanced File Manager and Filester, and SQL injection in Squirrly SEO plugin.
Read original article
The article discusses vulnerabilities in WordPress plugins, particularly focusing on the misuse of nonces for authorization, which can lead to privilege escalation. Nonces are intended to secure AJAX and REST requests, but many plugins rely solely on them for authorization, creating exploitable weaknesses. The author identifies three critical vulnerabilities in popular plugins: Advanced File Manager, Filester, and the SEO Plugin by Squirrly. The Advanced File Manager is susceptible to Remote Code Execution (RCE) through arbitrary file uploads, allowing unauthorized users to upload malicious files. Filester also has a similar vulnerability, where any user can manipulate settings without proper authorization checks. Lastly, the Squirrly SEO plugin is vulnerable to semi-blind SQL injection due to improper sanitization of input parameters, enabling attackers to extract sensitive database information. The article emphasizes the importance of proper security practices in plugin development to mitigate these risks.
- Many WordPress plugins misuse nonces for authorization, leading to security vulnerabilities.
- Critical vulnerabilities identified include RCE in Advanced File Manager and Filester, and SQL injection in Squirrly SEO plugin.
- Unauthorized users can exploit these vulnerabilities to gain access to sensitive functionalities and data.
- Proper authorization checks are often missing in AJAX and REST API implementations in plugins.
- The article highlights the need for improved security practices among WordPress plugin developers.
Related
Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack
A supply-chain attack compromised 36,000 websites using backdoored WordPress plugins. Malicious code added to updates creates attacker-controlled admin accounts, manipulating search results. Users urged to uninstall affected plugins and monitor for unauthorized access.
5 WordPress Plugins Compromised; Millions of Websites at Risk
Millions of WordPress sites face security risks from hacked plugins allowing unauthorized access. Owners urged to check, deactivate compromised plugins, update regularly, use strong passwords, two-factor authentication, and security plugins.
Critical Bug in Docker Engine Allowed Attackers to Bypass Authorization Plugins
A critical vulnerability in Docker Engine allows attackers to bypass authorization, risking unauthorized access to containers. Organizations are urged to apply patches and enhance security measures to mitigate these risks.
Over 1M websites are at risk of sensitive information leakage
Over one million websites face risks of sensitive data leakage due to XSS and OAuth vulnerabilities. Hotjar's JavaScript code analysis revealed exploitable weaknesses, prompting recommendations for enhanced security measures.
Auditing Atlassian Plugins, 53 0-Days Later
The blog post reveals 53 zero-day vulnerabilities in Atlassian plugins, emphasizing the need for regular audits and caution due to potential security risks like XSS, session hijacking, and unauthorized actions.
6 commentsFor #3 especially, it's pretty confusing to single out nonces as especially vulnerable. Any secret defined in wp_config would have been similarly exposed by this exploitation method. For example, the SECURE_AUTH_KEY or the LOGIN_KEY. If you had found an installation that put those values in the database (probably common for multiuser installs), would you have instead written an article that claimed "Wordpress logged in sessions should never be used for authentication"? Or that wordpress auth sessions are "often misused by developers"? Similarly with #2, you make a haphazard effort to tie the improperly sanitized uploaded files back to nonces by saying "a nonce is required to acces the uploaded file", but that really doesn't have anything to do with the vulnerability itself—many users on wordpress installs are required / expected to upload publicly visible files, or files visible to their own user. Or even files visible to the administrator! The method of authenticating access to the files has nothing to do with the vulnerability itself, it was only a small piece of trivia required to properly exploit it in this specific plugin in some cases.
Even popular plugins don’t do the bare minimum like escaping output.
Security in WP seems more like an afterthought to me, which is a shame to say the least.
I am not sure how widespread this specific nonce problem is.
It definitely is a problem -- I am not disputing that.
(Just as it's a problem that people have tended to assume that is_admin() or admin-ajax implies that by the time your hook runs, there's already a valid administrator session, when there isn't. But this is covered in the documentation.)
But the concept here is actually pretty obscure to WP developers so I would imagine they tend to consult the documentation, where they will encounter this at the end of the process:
https://developer.wordpress.org/reference/functions/wp_verif...
Nonces should never be relied on for authentication or authorization, access control. Protect your functions using current_user_can(), always assume Nonces can be compromised.
--
As to the rest of the article, I wish it were written less lazily:
> Unfortunately, as history shows, most WordPress plugins, even popular ones, often contain security vulnerabilities.
Most of them often do?
Not so. Definitely some often do, and there are repeat offenders, and many have, but by volume most WordPress plugins are small and do pretty simple things.
> So far this year, 280 critical (CVSS score 9.0+) vulnerabilities have been found in WordPress and its plugins.
This is disingenuously phrased, to my mind: "WordPress and its plugins" suggests a single authorship and conflates WP with the plugins.
WordPress itself has had no 9+ vulnerabilities this year (or indeed since 2021).
https://www.cvedetails.com/vulnerability-list/vendor_id-2337...
(Not to mention that the post is talking about 280 9.0+ vulnerabilities in seventy thousand plugins, the long tail of which have maybe dozens of activations at most.)
> There are dozens of SQL queries in every WP plugin.
Overreach again. Sure, many (perhaps the majority) of plugins cause additional SQL queries through the posts and options APIs, but most plugins contain little to no custom SQL.
Related
Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack
A supply-chain attack compromised 36,000 websites using backdoored WordPress plugins. Malicious code added to updates creates attacker-controlled admin accounts, manipulating search results. Users urged to uninstall affected plugins and monitor for unauthorized access.
5 WordPress Plugins Compromised; Millions of Websites at Risk
Millions of WordPress sites face security risks from hacked plugins allowing unauthorized access. Owners urged to check, deactivate compromised plugins, update regularly, use strong passwords, two-factor authentication, and security plugins.
Critical Bug in Docker Engine Allowed Attackers to Bypass Authorization Plugins
A critical vulnerability in Docker Engine allows attackers to bypass authorization, risking unauthorized access to containers. Organizations are urged to apply patches and enhance security measures to mitigate these risks.
Over 1M websites are at risk of sensitive information leakage
Over one million websites face risks of sensitive data leakage due to XSS and OAuth vulnerabilities. Hotjar's JavaScript code analysis revealed exploitable weaknesses, prompting recommendations for enhanced security measures.
Auditing Atlassian Plugins, 53 0-Days Later
The blog post reveals 53 zero-day vulnerabilities in Atlassian plugins, emphasizing the need for regular audits and caution due to potential security risks like XSS, session hijacking, and unauthorized actions.