Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
document.getElementById( “ak_js” ).setAttribute( “value”, ( new Date() ).getTime() );
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
The bugs allow a range of attacks on websites, including deleting blog pages and remote code execution.
A critical cross-site scripting (XSS) bug impacts WordPress sites running the Frontend File Manager plugin and allows remote unauthenticated users to inject JavaScript code into vulnerable websites to create admin user accounts.
The bug is one of six critical flaws impacting the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites. Each of the flaws, publicly disclosed Monday, have available patches.
The bugs open sites running the plugin to a broad range of remote code execution attacks giving adversaries the ability to change or delete posts, set up a spam relay, achieve privilege escalation, carry out stored cross-site scripting (XSS) attacks, according to researchers from the Ninja Technologies Network.
The WordPress plugin is designed to allow users to upload files to a website admin. Each file is saved in a private directory, so each user can manage their own files after login.
The XSS bug allows unauthenticated content injection, researchers said.
The unauthenticated “wpfm_edit_file_title_desc” AJAX action loads a function (“wpfm_edit_file_title_desc”) that’s used when someone edits a website post. However, it fails to verify that users are editing their own postings, and lacks a security nonce. Thus – an unauthenticated user can change the content and title of every page and post on the blog.
“In addition, if the post type is wpfm-files, it is possible to inject JavaScript code in the post title because the plugin relies only on the WordPress esc_attr function to sanitize the $_REQUEST[‘file_title’] variable, which will be echoed outside HTML attributes in the backend section,” researchers added. “The JavaScript code will be executed when an admin user visits the plugin’s settings pages.”
Therefore, an unauthenticated user could inject JavaScript code in order to create an administrator user account.
Meanwhile, a privilege escalation issue stems from the “wpfm_get_current_user” function, which is used to retrieve a user ID from the “nmedia-user-file-uploader/inc/helpers.php” script, according to a Monday posting.
“It retrieves the user ID from the WordPress get_current_user_id function if the user is authenticated, or from the plugin’s wpfm_guest_user_id option if the user is not logged-in,” researchers explained. “However, the user, authenticated or not, can assign any ID to the $_GET[‘file_owner’] variable in order to override $current_user_id L318, which could lead to privilege escalation.”
Another issue allows an authenticated user to modify the plugin’s settings.
“The ‘wpfm_save_settings’ function from the ‘nmedia-user-file-uploader/inc/admin.php’ script is loaded by the wpfm_save_settings AJAX action (authenticated),” researchers explained. “It is used to save the plugin’s settings. There’s no capability check or security nonce.”
So, an attacker can exploit it by adding PHP to the list of allowed filetypes.
“Using the ‘wpfm_upload_file’ AJAX action, the attacker could then upload a PHP script that would be saved and accessible as ‘http://example.com/wp-content/uploads/user_uploads/<username>/<file>.php,’ which would lead to remote code execution,” according to the analysis.
A fourth issue allows an unauthenticated attacker to delete every page and post on the blog.
“The unauthenticated ‘wpfm_delete_file’ AJAX action (unauthenticated) loads the ‘wpfm_delete_file’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers said. “It takes an ID, $_REQUEST[‘file_id’], and deletes the corresponding post L708.”
The problem is that the plugin doesn’t verify that the user is allowed to delete the corresponding post, and it lacks a security nonce.
“There’s only a call to the unsafe ‘wpfm_get_current_user’ function but the result, ‘$curent_user,’ is not even checked in the code,” according to Ninja Technologies Network.
Attackers can also change any post meta data, which could lead for instance to arbitrary file download, the firm said.
“The .wpfm_file_meta_update’ AJAX action (unauthenticated) loads the ‘wpfm_file_meta_update’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers explained. “It is used to modify post meta data. There’s no capability check or nonce, and the data is not validated or sanitized.”
Attackers can exploit the hole to alter post meta data by assigning “wpfm_dir_path” to “$meta_key” and “wp-config.php” to “$meta_value” and then download the “w5p-config.php” script instead of the uploaded file, according to the analysis
The last issue allows an unauthenticated user to use blog as a spam relay.
The bug stems from the “wpfm_send_file_in_email” function in the “nmedia-user-file-uploader/inc/callback-functions.php” script, which allows a user to send an email
“Because it is sent in HTML format and it isn’t sanitized, it is possible to inject HTML code (text formatting, CSS, images etc.) in order to fully customize the email,” according to the post. “Additionally, even if ‘$_REQUEST[‘file_id’]’ is empty or invalid, the message will be sent anyway.
To protect themselves from attacks, users should upgrade to version 18.3 or above, which was released on June 26.
WordPress plugins continue to offer exploitable bugs for attackers looking to compromise websites.
In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
In February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
And in March, The Plus Addons for Elementor plugin for WordPress was discovered to contain a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said that it was being actively attacked in the wild.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Share this article:
Feb. 18 is the deadline to patch a bug that affects all unpatched versions of Windows 10 and requires zero user interaction to exploit.
Two powerful trojans with spyware and RAT capabilities are being delivered in side-by-side campaigns using a common infrastructure.
However, groups are rebranding and recalibrating their profiles and tactics to respond to law enforcement and the security community’s focus on stopping ransomware attacks.
Join thousands of people who receive the latest breaking cybersecurity news every day.
RT @secbughunter: We’re making some changes to the way Office macros work to improve security. Details here – https://t.co/uTdKRkVQWM. Th…
2 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.