WordPress Plugin’s Administrator Creation Bug Disclosed
WordPress and other CMS (Content Management System) are heaven-sent for non-programmers, as they can build and update the contents of their website without knowing any programming languages or scripting techniques. Developers of CMS are on-top of the situation when it comes to fixing bugs and security vulnerabilities of their products, however, the same CMS feature expansion capabilities that are beyond the full control of the core developers. These are the plugins, created by independent developers which easily extends the capability of the default CMS installation. It is a living case of convenience vs security, since the flexibility provided by an installed plugin increases the security risks and expands the attack surface of CMS.
Here in Hackercombat.com, we continue to inform people what particular Internet-facing software has a current critical issue, to provide you with well-informed option to decide what to do next. This time around, WordPress plugin named Convert Plus has a critical bug which can literally throw the baby with the bath water. Formerly known under the name Convert Plug, the Convert Plus plugin provides a WordPress website with lead-generation capability, which it claims to capture more users and traffic to the site for the long term.
The vulnerable version of Convert Plus provides external user the capability to receive an administrator-level account when trying to submit a form for new user creation for the website. The bug came from the “cp_set_user” value which is in a hidden field, that value can be modified by an outsider, changing the “cp_set_user” to “administrator” makes the account a super user for the website. Convert Plus version 3.4.2 and older have this privilege escalation flaw, and all WordPress administrators that deploys the plugin needs to upgrade to version 3.4.3 which patches the problem.
“This (buggy) code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed. Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address. The new account is given a randomized password, but the attacker can issue a typical password reset to gain access to their rogue administrator account,” explained Mikey Veenstra, a security researcher for WordFence, as he describe what they call the Unauthenticated Administrator Creation bug.
Elvina Goves of the Convert Plus team acknowledge the responsible disclosure done by WordFence. The latter gave Convert Plus team enough time to issue a patch, perform security audit for its plugin and only released the details on how to trigger the bug after thefix is already made publicly available for download. “We are thankful to the team at Wordfence, who reported a vulnerability. We worked closely with them to understand the issue further and released a fix within 3 days. There is nothing to panic as we’ve not come across any known breakthroughs caused due to this vulnerability. We strongly believe that security is not an absolute and a one time fix that will work. It is a continuous process and should be managed regularly with regular checks and updates. We highly recommend our users to activate their license, so that they do not miss on such update notifications and can update Convert Plus with a single click,” emphasized Goves.