WordPress Plugin Has Unpatched Privilege Escalation Flaw, Warn Researchers

WordPress Bug in 5.0

Researchers are warning of flaws in two WordPress plugins – Slick Popup and WP Database Backup – including one that remains unpatched.

A WordPress plugin, Slick Popup, has a serious privilege escalation flaw – and it has yet to be patched.

WordPress plugin Slick Popup, which has 7,000 active installs and provides a tool for displaying the Contact Form 7 as a popup on WordPress websites. However, researchers with Wordfence said that they found a privilege escalation flaw in all versions (up to 1.7.1) of the plugin.

“Per our disclosure policy, we allowed 30 days for resolution of this issue before releasing details to the public,” researchers said in a Tuesday post. Unfortunately, the deadline has passed without a satisfactory patch by the plugin’s developers.”

Om Ak Solutions, the developers behind Slick Popup (and several other plugins, including Contact Form 7 Spam Blocker, Floating Icons and more), have removed the plugin from the WordPress plugin repository while dealing with a fix. The developers did not respond to a request for comment from Threatpost on when specifically a patch would be released.

The flaw stems from two issues in a feature of the plugin that is meant to grant support access to its developers with one click on the dashboard.

First, researchers said that the credentials in the administrative account are hardcoded – so a “user” account can be simply created with the username “slickpopupteam” and  password “OmakPass13#”.

“Since this is a known value in all cases, it’s possible for malicious actors to assemble a list of sites making use of the plugin and occasionally test for the presence of this support user,” researchers said. “Once logged in, they’re free to create other backdoors independent of this user.”

Then, once a user has been added (regardless of their privilege level) the site doesn’t check that they are an administrator – meaning that attackers with mere “subscriber” access to the site can create a user account and potentially log in as an admin.

The flaw was disclosed to the developer April 22, and on April 27, the developer acknowledged the issue and said a patch would be released. However, by the public disclosure deadline, a patch had not yet been released.

Luckily, “Because of the relatively small userbase of the plugin, and the authentication necessary to exploit it, we do not anticipate widespread attack campaigns leveraging this vulnerability,” researchers said.

In a separate advisory, Wordfence researchers on Tuesday warned that WordPress plugin WP Database Backup also has a vulnerability – only this flaw has been patched.

WP Database Backup, which has been installed more than 70,000 times, is a WordPress plugin allowing users to create and restore database backups for their websites. However, researchers said in a Tuesday post that an “unnamed security researcher” had published a proof of concept exploit for an unpatched flaw in the plugin.

“The vulnerability, which was irresponsibly disclosed to the public before attempting to notify the plugin’s developers, was reported as a plugin configuration change flaw,” said researchers with Wordfence on Tuesday. “A proof of concept (PoC) exploit was provided which allowed unauthenticated attackers to modify the destination email address for database backups, potentially putting sensitive information in their hands.”

The flaw was originally disclosed April 24, and a patch was released on April 30.

Researchers said that they immediately notified the plugin’s developer of the issue, and the flaws have been patched as of version 5.2 of WP Database Backup.

The flaw stems from the plugin’s internal settings. In unpatched versions of WP Database Backup, an attacker is able to inject operating system commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.

“In today’s post, we detailed a previously undisclosed OS command injection flaw present in the WP Database Backup plugin,” researchers said. “This flaw has been patched as of version 5.2 and we recommend affected users ensure they’ve updated to the latest available version.”

Plugin flaws continue to plague WordPress websites. According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog.

Other recent vulnerabilities found in WordPress plugins, including Social Warfare, Yellow Pencil Visual Theme Customizer,  and Yuzo Related Posts.

More recently, security researchers warned owners of Joomla and WordPress websites of a malicious redirect script that is pushing visitors to malicious websites.

Want to know more about Identity Management and navigating the shift beyond passwords? Don’t miss our Threatpost webinar on May 29 at 2 p.m. ET. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow.

Suggested articles