Authenticated settings change vulnerability in YIT Plugin Framework.

An authenticated settings change vulnerability in the YIT Plugin Framework, used in several dozen WordPress plugins, could allow logged-in users to change the plugin options.

Reference

CVE-2019-16251

Summary

The YIT Plugin Framework is used in most plugins from YITH hosted on wordpress.org, as well as in their premium plugins. The framework version 3.3.8 and below was prone to two vulnerabilities:

  • An authenticated settings change vulnerability could allow logged-in users to modify the plugin options. This issue affects several dozen plugins (see the list below).
  • A vulnerability could allow logged-in users to insert or update custom post types. Although this vulnerable code is included in the framework, it does not seem to be used by any of the free plugins available in the wordpress.org repo.

Below is a list of plugins that are or aren’t vulnerable. Note that this is a non-exhaustive list because it covers only the 60 plugins available on wordpress.org, not the premium plugins that are available on YITH website.

The following 38 plugins are vulnerable to the authenticated settings change vulnerability:

The following 16 plugins include the vulnerable YIT Plugin Framework but aren’t vulnerable to the authenticated settings change vulnerability because they do not use that function. A new version was released and it is recommended to update them:

The following – and last – 6 plugins do not include the YIT Plugin Framework and thus aren’t vulnerable:

  • yith-custom-login
  • yith-footer-banner
  • yith-maintenance-mode
  • yith-newsletter-popup
  • yith-pre-launch
  • yith-topbar-countdown

Authenticated settings change

The main vulnerability can be found in the “plugin-fw/lib/yit-plugin-panel-wc.php” script:

add_action( 'admin_action_yith_plugin_fw_save_toggle_element', array( $this, 'save_toggle_element_options' ) );

The framework registers the save_toggle_element_options function via the admin_action_* hook which can be triggered by an authenticated user.

  public function save_toggle_element_options() {
     $posted      = $_POST;
     $tabs        = $this->get_available_tabs();
     $yit_options = $this->get_main_array_options();
     $current_tab = isset( $_REQUEST[ 'tab' ] ) && in_array( $_REQUEST[ 'tab' ], $tabs ) ? $_REQUEST[ 'tab' ] : $tabs[ 0 ];
     $option_id   = isset( $_REQUEST[ 'toggle_id' ] ) ? $_REQUEST[ 'toggle_id' ] : '';
     $updated     = false;

     if ( !empty( $yit_options[ $current_tab ] ) && !empty( $option_id ) ) {

        $tab_options = $yit_options[ $current_tab ];
        foreach ( $tab_options as $key => $item ) {
           if ( !isset( $item[ 'id' ] ) ) {
              unset( $tab_options[ $key ] );
           }
        }

        $option_array = array_combine( wp_list_pluck( $tab_options, 'id' ), $tab_options );
        if ( isset( $option_array[ $option_id ] ) ) {
           $value = isset( $posted[ $option_id ] ) ? $posted[ $option_id ] : '';

           //drag and drop
           $order_elements = isset( $posted[ 'yith_toggle_elements_order_keys' ] ) ? explode( ',', $posted[ 'yith_toggle_elements_order_keys' ] ) : false;
           if ( $order_elements ) {
              $i         = 0;
              $new_value = array();
              foreach ( $order_elements as $key ) {
                 $index               = apply_filters( 'yith_toggle_elements_index', $i++, $key );
                 $new_value[ $index ] = $value[ $key ];
              }

              $value = $new_value;
           }
           $value   = self::sanitize_option( $value, $option_array[ $option_id ], $value );
           $updated = update_option( $option_id, $value );
        }
     }

     return $updated;
  }

This function is described as being used to “save the content of the toggle element present inside the panel”, but because it lacks capability check and a security nonce, it can be misused by a logged-in user to change the plugin settings.

Timeline

The vulnerability was discovered and reported to the YITH team on August 12, 2019.

Recommendations

Update any YITH plugin to the latest available version.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet