April 7

Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin

WordPress Vulnerabilities

0  comments

This post was originally published on this site

On March 3, 2020, our Threat intelligence team discovered several vulnerabilities in WP Lead Plus X, a WordPress plugin with over 70,000 installations made to allow online marketers to create landing and squeeze pages on the sites. These vulnerabilities allowed an authenticated attacker with reduced permissions, like a subscriber, to generate or completely replace any page on a niche site making use of their own page containing malicious JavaScript, defacement, or perhaps a redirect. Additionally, an unauthenticated attacker may possibly also upload a malicious page template which, if utilized by an administrator running the premium version of the plugin, would execute malicious JavaScript for the reason that administrator’s browser, potentially resulting in site takeover.

We attempted to get in touch with the plugin’s writer the very next day, on March 4, 2020, followed through to March 12, 2020, and privately sent the entire vulnerability disclosure. The plugin’s writer released an initial patch containing capacity checks on March 15th. We implemented up using them the next time as the patched edition was still susceptible to Cross-Site Demand Forgery (CSRF), and had been informed a more full patch will be forthcoming. A lot more than 14 days later, and more when compared to a 30 days after our initial get in touch with attempt, the entire patch isn’t yet available.

If this plugin is crucial to your site’s functionality, we recommend updating to at the very least version 0.99 immediately as at the very least a few of these security issues are patched for the reason that version. Ideally, we recommend disabling and deleting this plugin until a far more complete patch becomes available.

Wordfence Premium users received a fresh firewall rule on March 4, 2020 to safeguard against exploits targeting these vulnerabilities. Users still utilizing the free version of Wordfence will receive this rule on April 3, 2020.


Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: SQUEEZE PAGE – WEBSITE LANDING PAGE – Responsive WEBSITE LANDING PAGE Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions:
CVE ID: CVE-2020-11508
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
CVSS Score: 9.1(Critical)
Patched Version: 0.99

WP Lead Plus X is really a WordPress plugin which allows site owners to generate custom landing and “squeeze” pages, filled with its page builder interface with the capacity of inserting custom JavaScript. Unfortunately, this site builder interface also relied on an unprotected AJAX function which lacked a capability check and a nonce sign in order to save lots of and update pages:

add_action('wp_ajax_core37_lp_save_page', 'core37_lp_save_page');

function core37_lp_save_page()

	$content = array();
	parse_str(file_get_contents("php://input"), $content);

	//pass the proper execution ID to the editor
	echo Page_Supervisor::save_page($content);
	die();

As this kind of, it was easy for a logged-in attacker with reduced permissions (like a subscriber) to send a $_POST demand to wp-admin/admin-ajax.php with the activity parameter established to core37_lp_save_page together with the pageContent, pageSlug, pageTitle, and pageSettings parameters describing the web page to end up being created. This included the web page title, page slug, web page content material, and any JavaScript the attacker wished to execute once the page loaded.

Worse yet, in case a pageID parameter was delivered with the ID of a preexisting page or publish, that page or blog post will be completely replaced by the malicious web page. This made it easy for an attacker to totally replace each and every post or web page on a site, which includes revision backups, making use of their own malicious articles, without way to revert apart from restoring content from the database backup.

In add-on to inserting malicious JavaScript, which alone could be utilized to redirect people to malvertising sites or even steal sensitive details, this vulnerability could possibly be utilized to effectively switch any site working the plugin right into a spam site.


Description: Unauthenticated Stored Cross-Site Scripting (XSS)
Affected Plugin: SQUEEZE PAGE – LANDING PAGE – Responsive WEBSITE LANDING PAGE Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions:
CVE ID: CVE-2020-11509
CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 7.1(High)
Patched Version: 0.99

One of the features open to users who have covered a license key for WP Lead Plus X may be the capability to create and use “template” pages, which may be imported as a starting place when making new pages. Although this feature isn't visible if the plugin doesn't have a license key, it had been still easy for an unauthenticated user to import a template containing malicious JavaScript. This is because of an admin_post action open to unprivileged visitors:

add_motion('admin_blog post_nopriv_c37_wpl_import_template', array($this, 'c37_wpl_import_template'));

Additionally, the event called by this step lacked nonce or capability checks:

    public function c37_wpl_import_template()
    
        if (isset($_FILES))
        
            foreach($_FILES['files_name']['tmp_name'] as $tmpFile)
            
                Template_Manager::importTemplateFromString(file_get_contents($tmpFile));
            
        

        wp_redirect($_POST['request_url'] . '&import=success');
    

As such, it had been easy for an unauthenticated attacker to upload a template by sending a $_POST request to wp-admin/admin-post.php, with the action parameter set to c37_wpl_import_template and a files_name[] parameter containing a maliciously crafted template file. In case a site owner with an authorized copy of the plugin used this imported template to make a page, the malicious JavaScript would execute within their browser, potentially resulting in site takeover.


Description: Cross-Site Request Forgery(CSRF)
Affected Plugin: SQUEEZE PAGE – WEBSITE LANDING PAGE – Responsive WEBSITE LANDING PAGE Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions:
CVE ID: Pending
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
CVSS Score: 8.3(High)
Patched Version: N/A

As mentioned earlier, none of the features in this plugin make use of nonce checks, so it's easy for an attacker to execute any actions that the plugin is with the capacity of by tricking a good administrator into clicking the specially crafted link made to perform that activity. This includes all of the features described above, including adding web pages to the website, replacing websites content with malicious JavaScript, and much more.

What must i do?

This can be an unusual situation for the reason that the plugin have not yet been fully patched. It really is still susceptible to a CSRF attack. Additionally, firewalls (like the Wordfence Web Application Firewall) cannot protect a niche site against a CSRF attack as these attacks appear to be valid requests to your website. If you manage a niche site with this particular plugin installed, which means that the security of one's site is precariously in the hands, and the hands of a person with administrator rights to your internet site. CSRF attacks require the victim’s participation, usually by clicking a crafted link within an email. If this plugin is completely critical to your site’s functionality, we urge one to upgrade to the most recent available version and exercise extreme care when visiting any links, especially those delivered to you in electronic mails. If you’re not actively by using this plugin, we recommend disabling it and removing it until a far more complete patch can be acquired.

Disclosure Timeline

March 3, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities in the WP Lead Plus X plugin.
March 4, 2020 – Firewall rule released for Wordfence Premium users. Initial outreach to plugin developer.
March 12, 2020 – Followup with developer as no response was received. Developer confirms appropriate inbox for handling discussion. Full disclosure of vulnerabilities is sent.
March 15, 2020 – Plugin developer releases initial patch including capability checks.
March 16, 2020 – Followup with developer as patched version continues to be susceptible to CSRF. Developer replies a fix for CSRF issues is forthcoming.
April 3, 2020 – Firewall rule becomes open to Wordfence free users.

Conclusion

Inside today’s posting, we detailed 2 stored XSS vulnerabilities inside the WP Lead As well as X plugin, in addition to a CSRF vulnerability. The XSS flaws have already been patched in edition 0.99 and we advise that users that depend on this plugin update to the most recent version available immediately. The CSRF vulnerability have not however been patched, and we advise that customers that can achieve this deactivate and delete this plugin until a far more complete patch can be acquired.

Sites running Wordfence Premium have already been protected from attacks contrary to the XSS vulnerabilities since March 4, 2020. Sites running the free version of Wordfence received exactly the same firewall rule update on April 3, 2020.

The post Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!