High Priority Vulnerabilities Patched in Uncode Core Plugin
Security Advisories
privilege escalation
Uncode
arbitrary file deletion
plugin
Published 7 May 2024 Rafie Muhammad Security Researcher at Patchstack Table of Contents
Uncode Core
Authenticated Arbitrary File and Directory Deletion
Uncode Core
Authenticated Privilege Escalation
This blog post is about the Uncode Core plugin vulnerabilities. If you’re a Uncode user, please update the core plugin to at least version 2.8.9.
All paid Patchstack users are protected from this vulnerability. Sign up for the free Community account first, to scan for vulnerabilities and apply protection for only $5 / site per month with Patchstack.
For plugin developers, we have security audit services and Enterprise API for hosting companies.
About the Uncode Core Plugin
The plugin Uncode Core (premium version) is a required plugin for the Uncode theme. The theme itself has more than 110,000 sales at ThemeForest. The Uncode theme is known as the more popular premium theme for WooCommerce sites. This plugin is developed by Undsgn.
The Uncode theme itself is a pixel-perfect creative WordPress Theme for any kind of website (portfolio, agency, freelance, blog) and a top WooCommerce Theme for shops (eCommerce, online store, business).
The security vulnerabilities
The Uncode Core plugin suffers from multiple vulnerabilities. The first vulnerability is an authenticated arbitrary file and directory deletion which allows any authenticated users with a minimum of Subscriber role to delete arbitrary directories on the server.
The second vulnerability is an authenticated privilege escalation which allows any authenticated user with a minimum of Subscriber role to escalate their privilege to any role on the WordPress site by abusing an insecure WP Option update. The described vulnerabilities were fixed in version 2.8.9 and assigned CVE-2023-51500 and CVE-2023-51515 respectively.
Authenticated Arbitrary File and Directory Deletion
The underlying vulnerable code exists in the delete_download
function:
function delete_download() {
if (isset($_REQUEST['font_family'])) {
$font_family=$_REQUEST['font_family'];
$font_dir=trailingslashit($this->font_directory).$font_family;
$fontkit_zip=$font_dir.'.zip';
if (@file_exists($fontkit_zip)) {
if (!@unlink($fontkit_zip)) {
echo json_encode(array(
'error'=> sprintf( esc_html__( 'Failed to delete @fontface kit zip %1$s.', 'uncode-core' ), $fontkit_zip )
));
die();
}
}
// Cannot delete the directory, because unzip_file, which has created it, uses WP_Filesystem. So we use WP_Filesystem to delete it.
$this->setup_wp_filesystem();
global $wp_filesystem;
if (isset($wp_filesystem)) {
$delete_dir=$wp_filesystem->delete($font_dir, true);
if (!$delete_dir) {
echo json_encode(array('error'=> $delete_dir['error']));
die();
}
}
echo json_encode(array('success'=> "Download deleted"));
}
die();
}
The above function is attached to the wp_ajax_uncodefont_delete_download action, since there is no proper permission and nonce check, any authenticated users are able to execute the function. Notice that the function will perform $wp_filesystem->delete() with $font_dir variable. The $font_dir variable itself is constructed from $font_family variable which is coming from $_REQUEST[‘font_family’] without proper sanitization. In this case, users are able to perform directory traversal and delete arbitrary directories on the server.
Authenticated Privilege Escalation
The underlying vulnerable code exists in the save_option function:
public function save_option() {
if ( isset( $_POST['nonce'] ) && wp_verify_nonce( $_POST['nonce'], 'uncode-core-settings-nonce' ) ) {
if ( isset( $_POST['value'] ) && $_POST['value'] && isset( $_POST['option_id'] ) && $_POST['option_id'] ) {
$autoload=isset( $_POST['autoload'] ) && $_POST['autoload']==='true' ? true : false;
update_option( $_POST['option_id'], $_POST['value'], $autoload );
---------- CUT HERE ----------
The above function is attached to the wp_ajax_uncode_core_settings_update_option action, since there is no proper permission check, any authenticated user is able to hit the function. There is indeed a nonce validation with the action “uncode-core-settings-nonce“, however, this nonce value can be retrieved by any authenticated user that has access to the wp-admin area, this is because the nonce is displayed using the admin_scripts function:
public function admin_scripts() {
$core_settings_parameters=array(
'enable_debug'=> apply_filters( 'uncode_enable_debug_on_js_scripts', false ),
'nonce' => wp_create_nonce( 'uncode-core-settings-nonce' ),
'locale' => array(
'button_confirm' => esc_html__( 'Save', 'uncode-core' ),
)
);
wp_enqueue_script( 'uncode-core-settings', UNCODE_CORE_PLUGIN_URL . 'includes/core-settings/js/uncode-core-settings.js', array( 'jquery' ), UncodeCore_Plugin::VERSION, true );
wp_localize_script( 'uncode-core-settings', 'CoreSettingsParameters', $core_settings_parameters );
}
Notice that also the function will call the update_option function and will set the option key and value directly from $_POST[‘option_id’] and $_POST[‘value’]. Since users can arbitrarily set the option key and value to update, users can simply do a privilege escalation by enabling the user registration feature on the WordPress site and setting the default role of registration to Administrator role.
The patch
For the Authenticated Arbitrary File and Directory Deletion vulnerability, the vendor decided to apply a permission and nonce check to the function without sanitizing the affected variable. The patch can be seen below:
For the Authenticated Privilege Escalation vulnerability, the vendor decided to apply a permission and nonce check to the function allowing with a whitelist check on what option key can be updated. The patch can be seen below:
Conclusion
For every Ajax action that involves sensitive actions, please always secure it by implementing permission and nonce checks. Only implementing a nonce validation as a check most of the time can be bypassed if the nonce value can be retrieved by unauthorized users such as lower permission role users.
Always do a sanitization or whitelist check on user input that is used to construct a file or directory path and also always limit what option key can be updated on certain actions.
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
Found this useful? Share on
Detect vulnerabilities and protect your WordPress websites. See features
Weekly security advice
Get the latest WordPress security intelligence delivered to your inbox.
Email Signup Subscribe
The latest in Security Advisories
Unpatched Authenticated RCE in Oxygen and Breakdance Builder
privilege escalation
rce
oxygen
breakdance
remote code execution
3 April, 2024
Critical Vulnerabilities Patched in REHub Theme and Plugin
Critical Vulnerability
REHub
Local File Inclusion
19 March, 2024
Critical Vulnerabilities Patched in WordPress Automatic Plugin
Critical Vulnerability
ssrf
SQL Injection
Automatic
Arbitrary File Download
Protection
Pricing WordPress For agencies Standard API Documentation
Solutions
WordPress security Plugin auditing Managed VDP Bug bounty Enterprise API
Bug bounty
Leaderboard Security programs Guidelines Report
Resources
Vulnerability database WordPress statistics
Patchstack
Careers Media kit LinkedIn Facebook X © 2024 Patchstack DPA Privacy Policy Terms & Conditions
Protection
Pricing WordPress For agencies Standard API Documentation
Solutions
WordPress security Plugin auditing Managed VDP Bug bounty Enterprise API
Bug bounty
Leaderboard Security programs Guidelines Report
Resources
Vulnerability database WordPress statistics
Patchstack
Careers Media kit LinkedIn Facebook X © 2024 Patchstack DPA Privacy Policy Terms & Conditions
This website uses cookies. Learn more.
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page. Reload page
close chevron-down chain bars angle-right angle-up cross menu
Source: patchstack.com