Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-39317: High Severity Vulnerability Patched in Access Demo Importer Plugin

A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the /demo-functions.php file or /welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9

CVE
#vulnerability#web#wordpress#intel#php#rce#auth

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 9, 2021, the Wordfence Threat Intelligence team attempted to initiate the responsible disclosure process for a vulnerability that we discovered in Access Demo Importer, a WordPress plugin installed on over 20,000 sites. This flaw made it possible for authenticated attackers with just subscriber level access to upload arbitrary files that could be used to achieve remote code execution. On sites with open registration, an anonymous user could easily register and exploit this vulnerability.

We initially attempted to reach out to the plugin vendor on August 9, 2021 and made a few additional attempts to get in contact with the vendor over the next few weeks. As the vendor failed to respond after 2 weeks despite multiple contact attempts, we escalated the issue to the WordPress.org plugins team. The plugins team responded immediately and closed the plugin for downloads on August 27, 2021, pending a full review. A partially patched version of the plugin was reopened for downloads around September 7, 2021. After following up with the developer and the WordPress plugins team, a fully patched version of the plugin was released on September 21, 2021.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021. As per our responsible disclosure policy, we are now fully disclosing the vulnerability details because enough time has elapsed since the fix was released.

If you have not already done so, we strongly recommend updating the latest version of the plugin available, 1.0.7, as soon as possible to ensure your site is not vulnerable to this security issue.

Description: Authenticated Arbitrary File Upload
Affected Plugin: Access Demo Importer
Plugin Slug: access-demo-importer
Affected Versions: <= 1.0.6
CVE ID: CVE-2021-39317
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 1.0.7

Access Demo Importer is a plugin designed to import demo content for themes developed by AccessPress Themes. The importer functionality will import everything from content and photos, to plugins required to optimize a site’s functionality. One feature the plugin integrated was the ability to install plugins that are hosted outside of the WordPress.org repository during an import. Unfortunately, this functionality was insecurely implemented, making it possible for authenticated users to upload arbitrary files.

The plugin registers the wp_ajax_plugin_offline_installer AJAX action, which is tied to the plugin_offline_installer_callback function. This function takes the supplied file_location, which could be any external URL to a ZIP file, along with the other specifying parameters like slug, class_name, and file, and then retrieves the file’s contents and extracts the ZIP file to the plugins directory.

    public function plugin\_offline\_installer\_callback() {
        $plugin = array();

        $file\_location = $plugin\['location'\] = isset( $\_POST\['file\_location'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['file\_location'\] ) ) : '';
        $file           = isset( $\_POST\['file'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['file'\] ) ) : '';
        $host\_type         = isset( $\_POST\['host\_type'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['host\_type'\] ) ) : '';
        $plugin\_class  = $plugin\['class'\] = isset( $\_POST\['class\_name'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['class\_name'\] ) ) : '';
        $plugin\_slug   = $plugin\['slug'\] = isset( $\_POST\['slug'\] ) ? sanitize\_text\_field( wp\_unslash( $\_POST\['slug'\] ) ) : '';
        $plugin\_directory = WP\_PLUGIN\_DIR;

        $plugin\_file = $plugin\_slug . '/' . $file;

        if( $host\_type == 'remote' ) {
            $file\_location = $this->get\_local\_dir\_path($plugin);
        }

        $zip = new ZipArchive();
        if ($zip->open($file\_location) === TRUE) {
            $zip->extractTo($plugin\_directory);
            $zip->close();

            activate\_plugin($plugin\_file);

            if( $host\_type == 'remote' ) {
                unlink($file\_location);
            }

            echo 'success';

            die();
        } else {
            echo 'failed';
        }

        die();
    }

Unfortunately, this function had no capability check, nor any nonce checks, which made it possible for authenticated users with minimal permissions, like subscribers, to install a zip file as a “plugin” from an external source. This “plugin” zip file could contain malicious PHP files, including webshells, that could be used to achieve remote code execution once extracted and ultimately be used to completely take over a site.

Disclosure Timeline

August 9, 2021 – Conclusion of the plugin analysis that led to the discovery of an arbitrary file upload vulnerability in the Access Demo Importer WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We make an initial contact attempt with the plugin’s vendor.
August 10, 2021 – We discover an additional method to contact the plugin’s vendor and send another initial contact message.
August 18, 2021 – After no response, we attempt to reach out to the vendor again via a different contact.
August 27, 2021 – Due to no response, we reach out to the WordPress plugins teams and send over full disclosure details. The plugin is temporarily closed for downloads on the same day.
September 7, 2021 – The plugin is reopened for downloads containing a partial patch for the vulnerability. We attempt to reach out to the vendor, who responded to us after the WordPress.org team got in contact with them, to inform them that the plugin is still missing capability checks.
September 8, 2021 – Wordfence free users receive the firewall rule.
September 20, 2021 – We follow-up with the WordPress plugins team after no response from the developer again. They respond and let us know that they have informed the developer about the missing capability checks.
September 21, 2021 – A fully patched version of the plugin is released as version 1.0.7.

Conclusion

In today’s post, we detailed a flaw in Access Demo Importer that granted authenticated attackers the ability to upload arbitrary files, allowing them to perform remote code execution. This flaw was fully patched in version 1.0.7. We recommend that WordPress users immediately update to the latest version available, which is version 1.0.7 at the time of this publication.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

Related news

CVE-2022-2541: Vulnerability Advisories - Wordfence

The uContext for Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery to Cross-Site Scripting in versions up to, and including 3.9.1. This is due to missing nonce validation in the ~/app/sites/ajax/actions/keyword_save.php file that is called via the doAjax() function. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-2224: Vulnerability Advisories - Wordfence

The WordPress plugin Gallery for Social Photo is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.0.0.27 due to failure to properly check for the existence of a nonce in the function gifeed_duplicate_feed. This make it possible for unauthenticated attackers to duplicate existing posts or pages granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-1565: Vulnerability Advisories - Wordfence

The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible.

CVE-2022-2444: Vulnerability Advisories - Wordfence

The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to deserialization of untrusted input via the 'remote_data' parameter in versions up to, and including 3.7.9. This makes it possible for authenticated attackers with contributor privileges and above to call files using a PHAR wrapper that will deserialize the data and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

CVE-2022-2001: Vulnerability Advisories - Wordfence

The DX Share Selection plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.4. This is due to missing nonce protection on the dxss_admin_page() function found in the ~/dx-share-selection.php file. This makes it possible for unauthenticated attackers to inject malicious web scripts into the page, granted they can trick a site's administrator into performing an action such as clicking on a link.

CVE-2022-1749: Vulnerability Advisories - Wordfence

The WPMK Ajax Finder WordPress plugin is vulnerable to Cross-Site Request Forgery via the createplugin_atf_admin_setting_page() function found in the ~/inc/config/create-plugin-config.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.1.

CVE-2022-0209: Vulnerability Advisories - Wordfence

The Mitsol Social Post Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.10 due to insufficient input sanitization and output escaping on the application id parameters. This makes it possible for authenticated (admin+) attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html is disabled.

CVE-2022-1900: Vulnerability Advisories - Wordfence

The Copify plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.0. This is due to missing nonce validation on the CopifySettings page. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2022-1505: Vulnerability Advisories - Wordfence

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-api-endpoints.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.6.

CVE-2022-1442: Vulnerability Advisories - Wordfence

The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated third-party APIs like that of PayPal, Stripe, Mailchimp, Hubspot, HelpScout, reCAPTCHA and many more, in versions up to and including 2.1.3.

CVE-2022-1453: Vulnerability Advisories - Wordfence

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from the database in versions up to and including 9.2.5.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907