WordPress core engine security vulnerabilities aren’t rare, but they are uncommon. Most issues affecting the integrity of sites running on the content management system are introduced by third-party plugins and put those sites at risk for a host of attacks.
Today WordPress upgraded to version 4.3.1 which patched three vulnerabilities, two of which were reported by researchers at Check Point Software Technologies and conclude a months-long foray into looking for flaws in the platform.
The most serious of the patched vulnerabilities involve a WordPress-specific feature called shortcodes. Shortcodes are HTML tags that were introduced in version 2.5 as a simple way to embed macros in code, saving developers the hassle of re-writing HTML. WordPress supports a host of shortcodes by default, such as [vimeo] allows automatic and dynamic embedding of a Vimeo video file onto a WordPress site.
Check Point head of vulnerability research Shahar Tal said Check Point reported a trio of vulnerabilities to WordPress security engineers a few months back and it has taken time to patch all of the bugs, he said, primarily because of potential compatibility issues with a number of third-party plugins that could have been broken by the patch.
With the shortcodes vulnerability addressed in today’s update, an attacker could abuse how the platform processes shortcodes and inject arbitrary JavaScript that would execute when a WordPress page renders. Such cross-site scripting attacks are nothing new when it comes to the security of web-based applications and have been the launching pad for a number of attacks, either criminal or state sponsored.
“This is really what water-hole attacks are all about,” Tal said. ” This is what APTs use and what nation-state attackers are after.”
In addition to the cross-site scripting vulnerability, Tal and colleague Netanel Rubin, who spent months researching vulnerabilities in the platform, also discovered a vulnerability that allowed users without proper permissions to publish posts and make them sticky to a site. In the span of a few months, Rubin was able to initially find vulnerabilities that would affect only subscriber users on WordPress all the way to remote SQL injection and cross-site scripting attacks against flaws in the core engine.
“A lot of plugins and third party add-ons are typically written by a couple of programmers or developers at small companies. They don’t get the [security] and code quality reviews that WordPress core does,” Tal said, explaining why it’s difficult to gain execution against the core engine of the platform. “Netanel made it clear that WordPress had one of the most secure pieces of code he has read yet was still able to poke some holes in it. We hope developers can take a lesson from this, and understand the technique and what went wrong.”
Check Point today published a report on its findings how its researchers were able to bypass protections in place that were supposed to keep attackers from being able to strip away whitelisting that denies tags and attributes that are not approved.
“We were able to open a tag and insert something in to the shortcode attributes,” Tal said. [WordPress] didn’t think of everything when they added the feature, which is very rich and error prone.”
Tal said WordPress engineers went through the code base looking for similar issues in other areas as well.