Redux Framework and Privilege Escalation

Redux Framework is a code structure script that allows you to easily create good looking option pages and adding its own features.

Versions before 3.5.6.8 are victims of a privilege escalation flaw, the scénario for the exploit is not mainstream, here comes the requirement:

• Using a theme with Redux Framework,
• Using a plugin with Redux Framework,
• Having a user with a role that doesn’t have the manage_options capability, but still the edit_theme_options one.

The vulnerable code is in /ReduxCore/framework.php:

            public function ajax_save() {
                if ( ! wp_verify_nonce( $_REQUEST['nonce'], "redux_ajax_nonce" ) ) {
                    echo json_encode( array(
                        'status' => __( 'Invalid security credential.  Please reload the page and try again.', 'redux-framework' ),
                        'action' => ''
                    ) );
                    
                    die();
                }
// ...

The action redux_ajax_nonce is the same for a theme and a plugin, the token will be the same.

The user that can modify the theme option can not, logically, modify a plugin’s options.

But since the security token (nonce) is the same for each framework instance, even a user without the manage_options capability can send a request containing the new plugin’s settings, because he knows its security token.

The version 3.5.6.9 fix this token by adding the name of the option to save (it can not be identical for a theme and a plugin).

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.