Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin
On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, if the targeted site has the ‘Role Management’ setting enabled.
Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023.
We performed our initial outreach to the developer on April 5, 2023, the same day we discovered the vulnerability. We received a response the same day and sent over the full details. The developer released a patch swiftly the next day on April 6, 2023.
We’d like to say a special thanks to the lead developer of WP Data Access, Peter Schulz, who provided an exemplary example of how security issues should be handled by responding immediately and releasing a patch the next day.
We strongly recommend ensuring that your site has been updated to the latest patched version of WP Data Access, which is version 5.3.8 at the time of this publication.
Vulnerability Summary from Wordfence Intelligence
Description: WP Data Access add_action( ‘profile_update’, $wpda_roles, ‘multiple_roles_update’ );
If the associated function had a capability check, then it may have prevented these users from fully executing the function, however, that was not the case. Reviewing the hooked function, we see a check verifying that the role management setting is enabled, but nothing more. The function then determines the user and looks for the ‘wpda_role
‘ array parameter from a given request. If present, it will process the supplied roles and add the role and applicable permissions to the user retrieved in the first step.
This made it possible for authenticated users, such as a subscriber, making profile updates to supply the ‘wpda_role
‘ array parameter with any desired roles, such as administrator, during a profile update that would be granted immediately upon save of the profile updates.
public function multiple_roles_update( $user_id ) {
if ( ! $this->is_role_management_enabled ) {
return;
}
$wp_user=new WP_User( $user_id );
if ( isset( $wp_user->data->user_login ) ) {
$user_login=$wp_user->data->user_login;
// Get access to editable roles
global $wp_roles;
if ( isset( $_REQUEST['wpda_role'] ) && is_array( $_REQUEST['wpda_role'] ) ) {
// Process roles
$sanitized_roles=array();
foreach ( $_REQUEST['wpda_role'] as $new_user_role ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
$sanitized_new_user_role=sanitize_text_field( wp_unslash( $new_user_role ) ); // input var okay.
$wp_user->add_role( $sanitized_new_user_role );
$sanitized_roles[ $sanitized_new_user_role ]=true;
}
// Remove unselected roles
foreach ( $wp_roles->roles as $role=> $val ) {
if ( ! isset( $sanitized_roles[ $role ] ) ) {
$wp_user->remove_role( $role );
}
}
} else {
// BUG!!! REMOVED!!!
// When plugin role management is enabled, this removes all user roles when a user updates his profile.
// foreach ( $wp_roles->roles as $role=> $val ) {
// $wp_user->remove_role( $role );
// }
}
}
}
As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
Disclosure Timeline
April 5, 2023 – Discovery of the Privilege Escalation vulnerability in WP Data Access. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
April 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
April 5, 2023 – The vendor confirms the inbox for handling the discussion.
April 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 6, 2023 – A fully patched version of the plugin, 5.3.8, is released.
May 5, 2023 – Wordfence free users receive the firewall rule.
Conclusion
In today’s post, we detailed a flaw in the WP Data Access plugin that enabled authenticated attackers, with at least subscriber-level access to a site, to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. This flaw has been fully patched in version 5.3.8.
We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 5.3.8 at the time of this publication.
Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to a complete site takeover.
If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.
Source: wordfence.com