January 24

Missing Authorization Check In wpCentral Plugin Leads To Multiple Vulnerabilities

WordPress Security

0  comments

This post was originally published on this site

wpCentral Plugin

The wpCentral plugin that has 50 000+ active users allows you to manage your sites on a single panel. It gives you the power to login to any website, install/delete/activate plugins, upload files and much more.

In versions 1.4.7 and below of this plugin, there’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege or alter/upload any file, or adjust any plugin and interact with the site in many other ways.

In wpcentral.php, we can see the lines of code below which register the AJAX actions.

if(is_user_logged_in()){
	add_action('wp_ajax_my_wpc_actions', 'my_wpc_actions_init');
	add_action('wp_ajax_my_wpc_signon', 'my_wpc_signon');
	add_action('wp_ajax_my_wpc_fetch_authkey', 'wpc_fetch_authkey');
}else{
	add_action('wp_ajax_nopriv_my_wpc_actions', 'my_wpc_actions_init');
	add_action('wp_ajax_nopriv_my_wpc_signon', 'my_wpc_signon');
}

However, it’s only checking whether or not the user is logged in and not if the user is an administrator. Both my_wpc_actions_init and my_wpc_signon AJAX actions require a valid authentication key to be present in the request.

However, we can retrieve this authentication key by calling the wpc_fetch_authkey AJAX action which for obvious reasons does not require the authentication key to be present in the request as it will return the authentication key in the response.

Once we have the authentication key, we can call pretty much any function or action present in the wpCentral plugin. The action my_wpc_signon would sign us in as an administrator (userid 1 in the database) as shown below.

function my_wpc_signon(){
    global $l, $error;
	
	//Authorize
	wpc_authorize();
	
	$user_info = get_userdata(1);
		
	// Automatic login //
	$username = $user_info->user_login;
	$user = get_user_by('login', $username );
	
	// Redirect URL //
	if (!is_wp_error($user)){
		wp_clear_auth_cookie();
		wp_set_current_user($user->ID);
		wp_set_auth_cookie($user->ID);

		$redirect_to = user_admin_url();
		wp_safe_redirect($redirect_to);

		exit();
	}
}

The AJAX action my_wpc_actions along with the fileactions parameter would allow us to upload files to the server or execute any other function that is part of the wpCentral plugin.

After reaching out to wpCentral, they released a fixed version within 6 hours. The patch can be found here which shows that they added a current_user_can(‘administrator’) check to the AJAX hooks as shown below.

Timeline

24-01-2020 – Reported the vulnerability to the developer of the plugin.
24-01-2020 – Released the patch to all WebARX customers.
25-01-2020 – wpCentral released version 1.4.8 which fixes the issue.

Protect Websites Against Plugin Vulnerabilities


Start for free

We are closely monitoring the vulnerability and will update the article over-time with potential IOC and important threat information.

Read more about recent WordPress vulnerabilities here.

If you wish to stay updated about the vulnerabilities via social media, consider joining our Facebook community and follow us on Twitter.

The post Missing Authorization Check In wpCentral Plugin Leads To Multiple Vulnerabilities appeared first on WebARX.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!