WordPress Flaws and Vulnerabilities

WP Rollback, a Too Permissive Plugin

Blog WordPress Flaws and Vulnerabilities WP Rollback, a Too Permissive Plugin
0 comments

In date of 26th june 2015, i doscovered the plugin WP Rollback. This plugin allow you to install an older version of one of your plugins from the official repository.

Since i wanted to use this plugin, i had to check its security. Remember that if i don’t do that, then i have to remember that installing a plugin is like include a PHP script from someone i don’t know, without looking at the code, impossible for mi.

XSS

I quickly fond a XSS that allows me to display any content with no filter from a simple URL, easy to include any remote malicious javascript file et asking an admin to click.

<?php $args = wp_parse_args( $_GET, $defaults ); ?>
<?php echo apply_filters( 'wpr_rollback_description', sprintf( __( 'Please select which %1$s version you would like to rollback to from the releases listed below. You currently have version %2$s installed of %3$s.', 'wpr' ), '<span class="type">' . ( $theme_rollback == true ? 'theme' : 'plugin' ) . '</span>', '<span class="current-version">' . $args['current_version'] . '</span>', '<span class="rollback-name">' . $args['rollback_name'] . '</span>' ) ); ?>
XSS : Vulnerable Code

No argument have been sanitized or escaped, it displays the whole content from the $_GET param passed in the URL bar.

This XSS vulnerability had a DREAD of 4.4/10, critical.

CSRF

Then comes for me the idea od testing if i can force an admin to update a plugin in 1.0. And yes, badly it works because there is no security tokens (nonces) on the plugin install link.

Worse, we can even force the installation of any plugin from the repository.

$url     = 'index.php?page=wp-rollback&plugin_file=' . $args['plugin_file'] . 'action=upgrade-plugin';php
CSRF : Vulnerable Code

This CSRF vulnerability had a DREAD of 4.4/10, critical.

Mea culpa

Plugin developpers managed this very quickly and a patch is already out. You have to download the 1.2.3 minimum to avoid this flaws.

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.

This might interest you too

0 comments