A critical cross-site scripting (XSS) bug impacts WordPress sites running the Frontend File Manager plugin and allows remote unauthenticated users to inject JavaScript code into vulnerable websites to create admin user accounts.
The bug is one of six critical flaws impacting the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites. Each of the flaws, publicly disclosed Monday, have available patches.
The bugs open sites running the plugin to a broad range of remote code execution attacks giving adversaries the ability to change or delete posts, set up a spam relay, achieve privilege escalation, carry out stored cross-site scripting (XSS) attacks, according to researchers from the Ninja Technologies Network.
The WordPress plugin is designed to allow users to upload files to a website admin. Each file is saved in a private directory, so each user can manage their own files after login.
Stored XSS
The XSS bug allows unauthenticated content injection, researchers said.
The unauthenticated “wpfm_edit_file_title_desc” AJAX action loads a function (“wpfm_edit_file_title_desc”) that’s used when someone edits a website post. However, it fails to verify that users are editing their own postings, and lacks a security nonce. Thus – an unauthenticated user can change the content and title of every page and post on the blog.
“In addition, if the post type is wpfm-files, it is possible to inject JavaScript code in the post title because the plugin relies only on the WordPress esc_attr function to sanitize the $_REQUEST[‘file_title’] variable, which will be echoed outside HTML attributes in the backend section,” researchers added. “The JavaScript code will be executed when an admin user visits the plugin’s settings pages.”
Therefore, an unauthenticated user could inject JavaScript code in order to create an administrator user account.
Privilege Escalation
Meanwhile, a privilege escalation issue stems from the “wpfm_get_current_user” function, which is used to retrieve a user ID from the “nmedia-user-file-uploader/inc/helpers.php” script, according to a Monday posting.
“It retrieves the user ID from the WordPress get_current_user_id function if the user is authenticated, or from the plugin’s wpfm_guest_user_id option if the user is not logged-in,” researchers explained. “However, the user, authenticated or not, can assign any ID to the $_GET[‘file_owner’] variable in order to override $current_user_id L318, which could lead to privilege escalation.”
Authenticated Settings Change and Arbitrary File Upload
Another issue allows an authenticated user to modify the plugin’s settings.
“The ‘wpfm_save_settings’ function from the ‘nmedia-user-file-uploader/inc/admin.php’ script is loaded by the wpfm_save_settings AJAX action (authenticated),” researchers explained. “It is used to save the plugin’s settings. There’s no capability check or security nonce.”
So, an attacker can exploit it by adding PHP to the list of allowed filetypes.
“Using the ‘wpfm_upload_file’ AJAX action, the attacker could then upload a PHP script that would be saved and accessible as ‘http://example.com/wp-content/uploads/user_uploads/<username>/<file>.php,’ which would lead to remote code execution,” according to the analysis.
Unauthenticated Arbitrary Post Deletion
A fourth issue allows an unauthenticated attacker to delete every page and post on the blog.
“The unauthenticated ‘wpfm_delete_file’ AJAX action (unauthenticated) loads the ‘wpfm_delete_file’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers said. “It takes an ID, $_REQUEST[‘file_id’], and deletes the corresponding post L708.”
The problem is that the plugin doesn’t verify that the user is allowed to delete the corresponding post, and it lacks a security nonce.
“There’s only a call to the unsafe ‘wpfm_get_current_user’ function but the result, ‘$curent_user,’ is not even checked in the code,” according to Ninja Technologies Network.
Unauthenticated Post Meta Change and Arbitrary File Download
Attackers can also change any post meta data, which could lead for instance to arbitrary file download, the firm said.
“The .wpfm_file_meta_update’ AJAX action (unauthenticated) loads the ‘wpfm_file_meta_update’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers explained. “It is used to modify post meta data. There’s no capability check or nonce, and the data is not validated or sanitized.”
Attackers can exploit the hole to alter post meta data by assigning “wpfm_dir_path” to “$meta_key” and “wp-config.php” to “$meta_value” and then download the “w5p-config.php” script instead of the uploaded file, according to the analysis
Unauthenticated HTML Injection
The last issue allows an unauthenticated user to use blog as a spam relay.
The bug stems from the “wpfm_send_file_in_email” function in the “nmedia-user-file-uploader/inc/callback-functions.php” script, which allows a user to send an email
“Because it is sent in HTML format and it isn’t sanitized, it is possible to inject HTML code (text formatting, CSS, images etc.) in order to fully customize the email,” according to the post. “Additionally, even if ‘$_REQUEST[‘file_id’]’ is empty or invalid, the message will be sent anyway.
WordPress Plugin Woes
To protect themselves from attacks, users should upgrade to version 18.3 or above, which was released on June 26.
WordPress plugins continue to offer exploitable bugs for attackers looking to compromise websites.
In January, researchers warned of two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox that could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.
Also that month, a plugin called PopUp Builder, used by WordPress websites for building pop-up ads for newsletter subscriptions, was found to have a vulnerability could be exploited by attackers to send out newsletters with custom content, or to delete or import newsletter subscribers.
In February, an unpatched, stored cross-site scripting (XSS) security bug was found to potentially affect 50,000 Contact Form 7 Style plugin users.
And in March, The Plus Addons for Elementor plugin for WordPress was discovered to contain a critical security vulnerability that attackers can exploit to quickly, easily and remotely take over a website. First reported as a zero-day bug, researchers said that it was being actively attacked in the wild.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.