Headline
CVE-2020-36729: WordPress 2J SlideShow plugin fixed authenticated arbitrary plugin deactivation vulnerability.
The 2J-SlideShow Plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the ‘twoj_slideshow_setup’ function called via the wp_ajax_twoj_slideshow_setup AJAX action in versions up to, and including, 1.3.31. This makes it possible for authenticated attackers (Subscriber, or above level access) to allow attackers to perform otherwise restricted actions and subsequently deactivate any plugins on the blog.
The WordPress 2J SlideShow plugin (3,000+ active installations) fixed a vulnerability in version 1.3.31 and below that could allow an authenticated user to deactivate any plugins on the blog.
Authenticated Plugin Deactivation
In the “2j-slideshow/inc/addons/setup/setup.class.php” script, the plugin loads the twoj_slideshow_setup function via the WordPress AJAX API:
add_action('wp_ajax_twoj_slideshow_setup’, array($this, ‘twoj_slideshow_setup’) ); … … public function twoj_slideshow_setup(){ if( isset( $_POST[‘plugin’] ) ) deactivate_plugins( $_POST[‘plugin’] ); … …
It takes the $_POST[‘plugin’] user input and pass it to the WordPress deactivate_plugins function without checking the user capabilities, hence allowing an authenticated user such as a subscriber to deactivate any plugins on the blog.
Timeline
The vulnerability was reported to the wordpress.org team on December 09, 2019.
Recommendations
Update as soon as possible if you have version 1.3.31 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet