March 26

Vulnerabilities Patched in Make an impression on for IDX Broker

WordPress Vulnerabilities

0  comments

This post was originally published on this site

On February 28, 2020, the Wordfence Risk Intelligence team became alert to a recently patched stored Cross-Web site Scripting (XSS) vulnerability in IMPress for IDX Broker, the WordPress plugin with more than 10,000 installations. Although all Wordfence customers, including those still utilizing the free edition of Wordfence, were currently protected out of this vulnerability by the net Program Firewall’s built-in XSS security, we investigated the plugin further and discovered yet another stored XSS vulnerability. We furthermore discovered a flaw that could enable an authenticated attacker with reduced, subscriber-level permissions to completely delete any web page or blog post on the site, along with generating pages with arbitrary titles.

We initially reached away to the plugin’s vendor exactly the same time, on February 28, 2020, but received no reaction over an extended time period. On March 19, 2020, after notifying the WordPress plugin group, we received a reply from the plugin’s developer, of which time we delivered the entire disclosure details. A completely patched version premiered on March 23, 2020, and we suggest updating to the most recent edition, 2.6.2, immediately.

Wordfence Premium customers received a fresh firewall principle on March 2nd to safeguard against exploits targeting these vulnerabilities. Free Wordfence customers will receive this guideline on April 1, 2020.


The IMPress for IDX Agent plugin includes a captcha feature to avoid spam submissions. Because it uses Search engines’s ReCAPTCHA services, it needs an API key. Sadly, the AJAX actions the plugin authorized to revise this API key didn’t use capacity checks or nonce checks.

This made it  easy for a logged-in attacker with reduced permissions, like a subscriber, to deliver a demand to wp-admin/admin-ajax.php with the activity parameter fixed to idx_up-date_recaptcha_important and the idx_recaptcha_site_crucial parameter arranged to the malicious JavaScript, that could then end up being executed within an administrator’s browser next time they visited the plugin’s configurations panel.

As with most assaults benefiting from stored XSS within admin areas, this may be used to utilize the administrator’s program in order to develop a new, malicious administrative consumer.

The AJAX action:

add_motion( 'wp_ajax_idx_upgrade_recaptcha_essential', array( $this, 'idx_revise_recaptcha_key' ) );

The vulnerable function:

	public perform idx_update_recaptcha_key() 
		if ( $_Write-up['idx_recaptcha_site_important'] ) 
			update_choice( 'idx_recaptcha_site_crucial', $_POST['idx_recaptcha_web site_key'], false );
			echo 1;
		 else 
			delete_choice( 'idx_recaptcha_site_essential' );
			echo 'error';
		
		die();
	

Explanation: Authenticated Post Development, Modification, and Deletion
Affected Plugin: IMPress for IDX Broker
Plugin Slug: idx-broker-platinum
Affected Variations: <= 2.6.1
CVE ID: CVE-2020-9514
CVSS score: 8.1(high)
CVSS Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/The:H
Fully Patched Version: 2.6.2

One of the functions incorporated with the IDX Agent plugin is the capability to create and delete “dynamic pages,” designed to make sure that any IDX pages complement the web site’s design and branding.

The plugin registers 2 AJAX actions which are used to get this done:

add_actions( 'wp_ajax_create_powerful_web page', array( $this, 'idx_ajax_create_dynamic_web page' ) );
add_activity( 'wp_ajax_delete_powerful_web page', array( $this, 'idx_ajax_delete_dynamic_web page' ) );

Once once again, neither of the features called simply by these AJAX activities used capability checks or even nonce checks. Therefore it was easy for an authenticated attacker with reduced, subscriber-degree, permissions to send a demand to wp-admin/admin-ajax.php with the motion parameter place to create_dynamic_web page and the post_name parameter collection to any arbitrary worth. In return, a fresh dynamic web page with that title will be created.

If a wrapper_web page_id parameter was included and set to the ID of a preexisting post or web page, that post or web page will be replaced with a blank wrapper web page:

	public functionality idx_ajax_create_dynamic_page() 

		// default page content
		$post_content material = $this->does_style_include_idx_tag();

		$post_name = $_POST['post_name'] ? $_POST['post_title'] : 'Attributes';
		$new_post   = array(
			'post_name'   => $post_title,
			'post_title'    => $post_title,
			'post_articles' => $post_content,
			'post_kind'    => 'idx-wrapper',
			'post_position'  => 'publish',
		);
		if ( $_POST['wrapper_web page_id'] ) 
			$new_posting['ID'] = $_POST['wrapper_page_id'];
		
		$wrapper_web page_id = wp_insert_article( $new_post );
		update_option( 'idx_agent_dynamic_wrapper_page_title', $post_title, false );
		update_option( 'idx_agent_dynamic_wrapper_web page_id', $wrapper_web page_id, false );
		$wrapper_web page_url = obtain_permalink( $wrapper_page_id );
		$this->idx_api->place_wrapper( 'global', $wrapper_web page_url );
		update_blog post_meta( $wrapper_web page_id, 'idx-wrapper-page', 'global' );

		die(
			json_encode(
				array(
					'wrapper_web page_id'   => $wrapper_web page_id,
					'wrapper_page_title' => $post_title,
				)
			)
		);
	

Additionally, if the attacker set the action parameter to delete_dynamic_page and sent a wrapper_page_id parameter with the ID of a preexisting post or page, after that that post or page will be permanently deleted:

	public functionality idx_ajax_delete_dynamic_page() 
		if ( $_POST['wrapper_web page_id'] ) 
			wp_delete_post( $_Posting['wrapper_page_id'], true );
			wp_trash_post( $_Article['wrapper_page_id'] );
		
		die();
	

Disclosure Timeline

February 28, 2020 – Our Threat Cleverness group discovers and analyzes vulnerabilities in the Make an impression on for IDX Agent plugin while reviewing a lately patched vulnerability. We try to speak to the plugin vendor.
March 2, 2020 – Firewall principle released for Wordfence Superior users.
March 19, 2020 – After followup with WordPress.org plugin group, plugin vendor confirms right mailbox, and we offer them with complete disclosure.
March 23, 2020 – Fully patched edition becomes available.
April 1, 2020 – Firewall guideline becomes open to Wordfence free customers.

Conclusion

Inside today’s posting, we detailed several vulnerabilities including stored XSS and Write-up development, modification, and deletion within the Make an impression on for IDX Agent plugin. These flaws have already been patched in version 2.6.2, and we advise that users up-date to the most recent version available immediately. Websites running Wordfence Premium have already been protected from episodes from this vulnerability since March 2, 2020. Websites running the free edition of Wordfence obtained the firewall principle update on April 1, 2020.

The post Vulnerabilities Patched in IMPress for IDX Broker appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!