Critical vulnerability fixed in WordPress Automatic Plugin.

WordPress Automatic Plugin (26,000+ sales on Envato Market) fixed a critical vulnerability affecting version 3.53.2 and below that could allow unauthenticated users to take over the website and its database.

Unauthenticated Arbitrary WordPress Options Change

CVSS v3.1: 9.8 (Critical)

Similarly to the WordPress Pinterest Automatic vulnerability we disclosed earlier today, WordPress Automatic Plugin (slug: wp-automatic) uses an almost identical and vulnerable “process_form.php” script but with a major difference though:

  1 <?php
  2 /**
   3 * Created with Visual Form Builder by 23rd and Walnut
 4 * www.visualformbuilder.com
 5 * www.23andwalnut.com
 6 */
 7 require_once('../../../wp-load.php');
 8 $form = new ProcessForm();
 9 $form->field_rules = array(
 10    'field1'=>'required',
 11    'field3'=>'required',
 12    'field4'=>'required',
 13    'field5'=>'required',
 14    'field6'=>'required'
 15 );
 16 $form->validate();
...
...
 44 $this->fields = $_POST;
...
...
112 function process()
113 {
114
115
116    foreach($this->fields as $key => $field){
117       update_option( $key, $field); 
118    }
119
120 }

As we can see line 7, it loads WordPress bootstrap, wp-load.php, which means that it is a stand-alone script that isn’t loaded by the plugin but is executed by accessing it directly.
It takes every key/value pairs found in the POST payload and passes them on to the WordPress update_option function. As it lacks a capability check to restrict access to the code, and a security nonce to protect against cross-site request forgery attacks, it is accessible to everyone, authenticated or not.
An unauthenticated user can change WordPress options in the database in order to create an administrator account or redirect all traffic to an external malicious website among many other possibilities.
As it is a stand-alone script, the vulnerability can be exploited even if the plugin is deactivated.

Recommendations

Update immediately if you have version 3.53.2 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Timeline

The vulnerability was reported to Envato on Augut 20, 2021, and a new version 3.53.3 was released on August 23, 2021.

Stay informed about the latest vulnerabilities