The bug is one of six critical flaws impacting the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites. Each of the flaws, publicly disclosed Monday, have available patches.
The bugs open sites running the plugin to a broad range of remote code execution attacks giving adversaries the ability to change or delete posts, set up a spam relay, achieve privilege escalation, carry out stored cross-site scripting (XSS) attacks, according to researchers from the Ninja Technologies Network.
The WordPress plugin is designed to allow users to upload files to a website admin. Each file is saved in a private directory, so each user can manage their own files after login.
The XSS bug allows unauthenticated content injection, researchers said.
The unauthenticated “wpfm_edit_file_title_desc” AJAX action loads a function (“wpfm_edit_file_title_desc”) that’s used when someone edits a website post. However, it fails to verify that users are editing their own postings, and lacks a security nonce. Thus – an unauthenticated user can change the content and title of every page and post on the blog.
Meanwhile, a privilege escalation issue stems from the “wpfm_get_current_user” function, which is used to retrieve a user ID from the “nmedia-user-file-uploader/inc/helpers.php” script, according to a Monday posting.
“It retrieves the user ID from the WordPress get_current_user_id function if the user is authenticated, or from the plugin’s wpfm_guest_user_id option if the user is not logged-in,” researchers explained. “However, the user, authenticated or not, can assign any ID to the $_GET[‘file_owner’] variable in order to override $current_user_id L318, which could lead to privilege escalation.”
Another issue allows an authenticated user to modify the plugin’s settings.
“The ‘wpfm_save_settings’ function from the ‘nmedia-user-file-uploader/inc/admin.php’ script is loaded by the wpfm_save_settings AJAX action (authenticated),” researchers explained. “It is used to save the plugin’s settings. There’s no capability check or security nonce.”
So, an attacker can exploit it by adding PHP to the list of allowed filetypes.
“Using the ‘wpfm_upload_file’ AJAX action, the attacker could then upload a PHP script that would be saved and accessible as ‘http://example.com/wp-content/uploads/user_uploads/<username>/<file>.php,’ which would lead to remote code execution,” according to the analysis.
A fourth issue allows an unauthenticated attacker to delete every page and post on the blog.
“The unauthenticated ‘wpfm_delete_file’ AJAX action (unauthenticated) loads the ‘wpfm_delete_file’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers said. “It takes an ID, $_REQUEST[‘file_id’], and deletes the corresponding post L708.”
The problem is that the plugin doesn’t verify that the user is allowed to delete the corresponding post, and it lacks a security nonce.
“There’s only a call to the unsafe ‘wpfm_get_current_user’ function but the result, ‘$curent_user,’ is not even checked in the code,” according to Ninja Technologies Network.
Attackers can also change any post meta data, which could lead for instance to arbitrary file download, the firm said.
“The .wpfm_file_meta_update’ AJAX action (unauthenticated) loads the ‘wpfm_file_meta_update’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers explained. “It is used to modify post meta data. There’s no capability check or nonce, and the data is not validated or sanitized.”
Attackers can exploit the hole to alter post meta data by assigning “wpfm_dir_path” to “$meta_key” and “wp-config.php” to “$meta_value” and then download the “w5p-config.php” script instead of the uploaded file, according to the analysis
The last issue allows an unauthenticated user to use blog as a spam relay.
The bug stems from the “wpfm_send_file_in_email” function in the “nmedia-user-file-uploader/inc/callback-functions.php” script, which allows a user to send an email
“Because it is sent in HTML format and it isn’t sanitized, it is possible to inject HTML code (text formatting, CSS, images etc.) in order to fully customize the email,” according to the post. “Additionally, even if ‘$_REQUEST[‘file_id’]’ is empty or invalid, the message will be sent anyway.
To protect themselves from attacks, users should upgrade to version 18.3 or above, which was released on June 26.
WordPress plugins continue to offer exploitable bugs for attackers looking to compromise websites.
In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
In February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
And in March, The Plus Addons for Elementor plugin for WordPress was discovered to contain a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said that it was being actively attacked in the wild.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.