In date of 26th june 2015, i doscovered the plugin WP Rollback. This plugin allow you to install an older version of one of your plugins from the official repository.
Since i wanted to use this plugin, i had to check its security. Remember that if i don’t do that, then i have to remember that installing a plugin is like include a PHP script from someone i don’t know, without looking at the code, impossible for mi.
XSS
I quickly fond a XSS that allows me to display any content with no filter from a simple URL, easy to include any remote malicious javascript file et asking an admin to click.
[pastacode lang=”php” message=”XSS : Vulnerable Code ” highlight=”” provider=”manual” manual=”%3C%3Fphp%20%24args%20%3D%20wp_parse_args(%20%24_GET%2C%20%24defaults%20)%3B%20%3F%3E%0A%3C%3Fphp%20echo%20apply_filters(%20’wpr_rollback_description’%2C%20sprintf(%20__(%20’Please%20select%20which%20%251%24s%20version%20you%20would%20like%20to%20rollback%20to%20from%20the%20releases%20listed%20below.%20You%20currently%20have%20version%20%252%24s%20installed%20of%20%253%24s.’%2C%20’wpr’%20)%2C%20’%3Cspan%20class%3D%22type%22%3E’%20.%20(%20%24theme_rollback%20%3D%3D%20true%20%3F%20’theme’%20%3A%20’plugin’%20)%20.%20’%3C%2Fspan%3E’%2C%20’%3Cspan%20class%3D%22current-version%22%3E’%20.%20%24args%5B’current_version’%5D%20.%20’%3C%2Fspan%3E’%2C%20’%3Cspan%20class%3D%22rollback-name%22%3E’%20.%20%24args%5B’rollback_name’%5D%20.%20’%3C%2Fspan%3E’%20)%20)%3B%20%3F%3E%0A”/]
No argument have been sanitized or escaped, it displays the whole content from the $_GET
param passed in the URL bar.
This XSS vulnerability had a DREAD of 4.4/10, critical.
CSRF
Then comes for me the idea od testing if i can force an admin to update a plugin in 1.0. And yes, badly it works because there is no security tokens (nonces) on the plugin install link.
Worse, we can even force the installation of any plugin from the repository.
[pastacode lang=”php” message=”CSRF : Vulnerable Code ” highlight=”” provider=”manual” manual=”%24url%20%20%20%20%20%3D%20’index.php%3Fpage%3Dwp-rollback%26plugin_file%3D’%20.%20%24args%5B’plugin_file’%5D%20.%20’action%3Dupgrade-plugin’%3Bphp”/]
This CSRF vulnerability had a DREAD of 4.4/10, critical.
Mea culpa
Plugin developpers managed this very quickly and a patch is already out. You have to download the 1.2.3 minimum to avoid this flaws.