Another day, another critical WordPress plugin vulnerability. The popular AMP for WP plugin, which helps WordPress sites load faster on mobile browsers, has a privilege-escalation flaw that allows WordPress site users of any level to make administrative changes to a website.
The plugin, which has over 100,000 active installs according to its webpage, adds support for Google’s mobile site acceleration tool, dubbed Google Accelerated Mobile Pages (AMP). Researchers at WebARX Security discovered that the plugin didn’t include a check to verify the account permissions of the currently logged in user. In turn, that lack of permission verification opens up admin API access to anyone with a login for a site.
API calls are carried out using the Ajax development framework, they’re essentially “hooks” used by site administrators to interact with the third-party and external functions they need to manage their site.
“In WordPress plugin development, you have the ability to register Ajax hooks which allows you to call functions directly,” the WebARX team explained, in a posting on Thursday. “The main problem with this approach is that every registered user (regardless of account role) can call Ajax hooks. If the called hook doesn’t check for account role, every user can make use of those functions.”
The AMP plugin vulnerability is specifically located in the “ampforwp_save_steps_data” Ajax hook, which is called to save settings during the use of the installation wizard. Exploiting this would allow any user to update the plugin’s settings.
Under those plugin settings, users can do a variety of things on a website, including placing ads, injecting custom HTML code, and manually uploading other WordPress plugins or malicious code like mining scripts or javascript malware.
The fix was to ensure that the plugin restricted this ability to those with admin privileges; the change was made in updated version 0.9.97.20 [download] of the plugin.
The critical issue with this particular vulnerability, according to WebARX, is that even registered users (i.e., site visitors who have signed up for loyalty accounts, accounts for forums or message boards, e-commerce accounts and so on) could make use of the flaw, making the barrier for exploitation very low for an attacker.
“Forrester estimates that 80 percent of breaches involve privilege misuse, and a good example is when applications don’t bother enforcing role-based access controls,” Andy Smith, vice president of product marketing at Centrify, told Threatpost. “That is what was uncovered in this week’s WordPress plugin vulnerability, where administrative commands did not check to verify the user’s role before execution, effectively allowing ANY user to perform administrative actions. In a world where developers are moving fast and DevOps pushes code quickly to production, it is critical that security checks get built into this automation flow and real DevSecOps processes get put in place to avoid such potentially costly mistakes.”
This is just the latest privilege-escalation flaw in a string of recent WordPress plugin issues. Earlier in the month, a similar API call issue was discovered in the popular WP GDPR Compliance plugin, which has more than 100,000 active installs. That was actively exploited in the wild before being patched. Also this month, a file delete vulnerability that affected multiple plugins, including WooCommerce, was found impacting 4 million websites; it allowed full privilege escalation and administrative account takeover on e-commerce sites before a fix was issued.
“Bad actors are always on the lookout for vulnerable third parties that serve multiple websites,” Alex Calic, strategic technology partnerships officer for the Media Trust, said via email. He added that while proper site protection includes updating and applying patches to any technologies provided by third parties. “unfortunately, most website operators remain unaware of who and how secure all their third parties are. This is their biggest source of risk because third-party code suppliers are popular targets among bad actors.”
The good news is that in the case of AMP for WP, the new, fixed version is being pushed out via automatic updates.