Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. To boot, nearly identical bugs are also found in Post Grid’s sister plug-in, Team Showcase, which has 6,000 installations.
The issues are a cross-site scripting (XSS) flaw as well as a PHP object-injection issue. Both bugs are pending CVE numbers, and both are high-severity, rating 7.5 out of 10 on the CvSS vulnerability rating scale.
Post Grid, true to its name, allows users to display their posts in a grid layout; meanwhile, Team Showcase offers a way to easily highlight an organization’s team members. Both allowed the import of custom layouts, and used nearly identical – and vulnerable – functions for doing so, according to Ram Gall, researcher with Wordfence.
The XSS bug would allow an attacker to supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it and create a new page layout based on its contents.
“The created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section,” explained Gall, in a posting on Monday. “This would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.”
The upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator’s session information – all of which are paths to complete takeover of a site.
Triggering an exploit is also somewhat trivial.
“In both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name,” Gall explained.
The second issue, the PHP object-injection bug, arises in the import function because it unserialized the payload supplied in the source parameter. An attacker could therefore execute arbitrary code, delete or write files, or perform any number of other actions which could lead to site takeover.
To trigger the flaw, “an attacker could craft a string that would be unserialized into an active PHP object,” Gall explained. “Although neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object injection could be used by an attacker.”
Both vulnerabilities would typically require the attacker to have an account with at least subscriber level privileges – but there’s a loophole.
“However, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,” Gall added.
The plugins’ developer, PickPlugins, has issued patches, so web admins should upgrade as soon as possible. The fixed versions are Post Grid v. 2.0.73 and Team Showcase v. 1.22.16.
These are the latest in the line of faulty WordPress plugins that have come to light this year. In September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.
Earlier in August, a plugin that is designed to add quizzes and surveys to WordPress websites patched two critical vulnerabilities. The flaws could be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites. Also in August, Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a pair of vulnerabilities that could lead to code-execution and even site takeover.
And, researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gave unauthenticated attackers the ability to upload arbitrary files (including PHP files) and ultimately execute remote code on vulnerable website servers.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites can avoid becoming the next compromise as we go into the holiday season. Join us Wednesday, Oct. 14, 2-3 PM ET for this LIVE webinar.