Web Flaws and Vulnerabilities

Redux Framework and Privilege Escalation

Blog Web Flaws and Vulnerabilities Redux Framework and Privilege Escalation
1 comment

Redux Framework is a code structure script that allows you to easily create good looking option pages and adding its own features.

Versions before 3.5.6.8 are victims of a privilege escalation flaw, the scénario for the exploit is not mainstream, here comes the requirement:

  • Using a theme with Redux Framework,
  • Using a plugin with Redux Framework,
  • Having a user with a role that doesn’t have the manage_options capability, but still the edit_theme_options one.

The vulnerable code is in /ReduxCore/framework.php:

            public function ajax_save() {
                if ( ! wp_verify_nonce( $_REQUEST['nonce'], "redux_ajax_nonce" ) ) {
                    echo json_encode( array(
                        'status' => __( 'Invalid security credential.  Please reload the page and try again.', 'redux-framework' ),
                        'action' => ''
                    ) );
                    
                    die();
                }
// ...

 

The action redux_ajax_nonce is the same for a theme and a plugin, the token will be the same.

The user that can modify the theme option can not, logically, modify a plugin’s options.

But since the security token (nonce) is the same for each framework instance, even a user without the manage_options capability can send a request containing the new plugin’s settings, because he knows its security token.

The version 3.5.6.9 fix this token by adding the name of the option to save (it can not be identical for a theme and a plugin).

1 comment

Genius! Thanks for finding a fix.

Leave a Reply