Missing Authorization Vulnerability in Blog2Social Plugin
On October 5, 2022, the Wordfence Threat Intelligence team responsibly disclosed a Missing Authorization vulnerability in Blog2Social, a WordPress plugin installed on over 70,000 sites that allows users to set up post sharing to various social networks. Vulnerable versions of the plugin make it possible for authenticated attackers with minimal permissions, such as subscribers, to change the plugin’s settings.
We initially reached out to the developer via email on October 1, 2022. After receiving a response from the developer shortly thereafter, we disclosed this vulnerability to their team on October 5, 2022. A partial fix was provided within a day (version 6.9.11) with a full fix following on October 10, 2022 (version 6.9.12).
At the time of discovery, we did not release a firewall rule as we determined that the vulnerability is unlikely to be targeted and has a relatively low impact. After further evaluation, we decided to release a firewall rule on October 27, 2022 as a precautionary measure. Premium, Care, and Response customers received that protection the same day, while sites still running the free version of Wordfence will receive the same protection 30 days later on November 26, 2022. As such, we strongly recommend updating to version 6.9.12 or higher of Blog2Social to ensure that your site is protected against any exploits targeting this vulnerability.
Description: Missing Authorization to Authenticated (Subscriber+) Settings Update
Affected Plugin: Blog2Social
Plugin Slug: blog2social
Affected Versions: 0) { if (isset($_POST[‘userId’]) && (int) $_POST[‘userId’]> 0) { update_option(‘B2S_LOCK_AUTO_POST_IMPORT_’ . (int) $_POST[‘userId’], 1, false); } echo json_encode(array(‘result’=> true)); wp_die(); } else { echo json_encode(array(‘result’=> false, ‘error’=> ‘nonce’)); wp_die(); } }
The first if-statement is intended to prevent unauthorized use of this function and similar functions using the same protection. The following parts need to evaluate to true in order for the if-statement to do the same:
current_user_can('read')
– This gives access to the administration screens and user profiles. This permission is generally available to all authenticated users such as subscribers.isset($_POST['b2s_security_nonce'])
– this nonce is set by the plugin and can be obtained by searching the code of /wp-admin/profile.php for the string ‘b2s_security_nonce’. This nonce is generated for subscribers and higher.(int) wp_verify_nonce(sanitize_text_field(wp_unslash($_POST['b2s_security_nonce'])), 'b2s_security_nonce')> 0
– this verifies the nonce after some sanitization.
As long as a userId is provided, we are able to lock B2S_LOCK_AUTO_POST_IMPORT_
for any user, resulting in that user being unable to automatically import posts. We found that many other functions lacked proper capability checks as well.
The Importance of Capability Checks
Capability checks are an important part of securing AJAX actions since those are available to any logged in users, including subscribers. The following is an example of an AJAX action from the Blog2Social plugin.
add_action('wp_ajax_b2s_lock_auto_post_import', array($this, 'lockAutoPostImport'));
While nonce checks ensure that the user initiating the request intended to do so, they don’t provide authorization. As mentioned above, the check current_user_can('read')
does ensure that the user initiating the request has that specific capability, but it does not suffice to protect actions intended for administrators only. A proper way to secure such actions would be to utilize a check such as
current_user_can('manage_options')
.
The plugin does make use of B2S_PLUGIN_BLOG_USER_ID
, which determines the current user’s ID in order to ensure that options saved are personalized thus preventing overwriting other users’ preferences:
define('B2S_PLUGIN_BLOG_USER_ID', get_current_user_id());
Timeline
October 1, 2022 – Initial outreach to the plugin developer.
October 5, 2022 – We disclosed details of the vulnerabilities with the developer.
October 6, 2022 – Version 6.9.11 is released which provides a patch for the legacy mode update vulnerability.
October 10, 2022 – The remaining authorization vulnerabilities are patched in version 6.9.12.
October 27, 2022 – Wordfence Premium, Care, and Response customers receive a firewall rule to provide additional protection.
November 26, 2022 – Wordfence Free users receive a firewall rule.
Conclusion
In today’s post, we covered several vulnerabilities in the Blog2Social: Social Media Auto Post & Scheduler plugin that could be used by subscribers to update plugin settings due to improper authorization checks. The vulnerabilities were patched by ensuring that capabilities were checked.
Wordfence Premium, Care, and Response users received a firewall rule on October 27th, 2022 for enhanced protection. Wordfence free users will receive this rule after 30 days on November 26th, 2022. We strongly recommend updating to version 6.9.12 or higher of Blog2Social: Social Media Auto Post & Scheduler to ensure that your site is protected against any exploits targeting this vulnerability.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Blog2Social as soon as possible.
Source: wordfence.com