Report

Another one? Yes, on Friday, July 14, 2023, Rafie Muhammad made a vulnerability public, which was reported to the developer about two weeks earlier and patched within a few days. The vulnerability is similar to the thermometer in my workroom and ranks nearly on the top with a CVSS 3.1 score of 9.8. 🥵

Vulnerability

The close relationship to my first blog post, written a week earlier, is exciting. This is also a simple exploitable unauthenticated privilege escalation. No checks are carried out on the role transmitted by the user.

The user registration endpoint is even activated, even if the user registration is deactivated in the widget list of the plugin (probably just the widget and not the functionality - makes sense, right? 🤔).

It hasn’t been that easy for a long time. Just POST to the wp-admin/admin-ajax.php endpoint without a nonce or anything else and adding a reg_role with your favorite WordPress user role.

Fix

The fix was released on July 05, 2023 with the version 2.2.1. Thank you very much for the quick update. On the one hand, it is now prevented that the role can be used as user input during registration, on the other hand, sanitizing of the text fields has been introduced (to prevent further attacks like XSS, SQL Injection, …).

The patch can be found here.

Conclusion

Again, over 100,000 WordPress installations are at high risk of being hacked. The only remedy is a combination of updating security updates quickly (auto updates), using a security plugin and relying on a good webhoster. But even this combination does not prevent a hack for sure. Stay safe and update quickly.

Note

My intention is not to give the hackers a PoC as quickly as possible, but to give other security researchers and companies the opportunity to get more details. My information is always based on already published information from responsible disclosures. If you want to talk about it and have a better idea, then contact me s3cur1ty@pascalchristen.ch!