WordPress Automatic Plugin (26,000+ sales on Envato Market) fixed a critical vulnerability affecting version 3.53.2 and below that could allow unauthenticated users to take over the website and its database.
Unauthenticated Arbitrary WordPress Options Change
CVSS v3.1: 9.8 (Critical)
Similarly to the WordPress Pinterest Automatic vulnerability we disclosed earlier today, WordPress Automatic Plugin (slug: wp-automatic) uses an almost identical and vulnerable “process_form.php” script but with a major difference though:
1 <?php
2 /**
3 * Created with Visual Form Builder by 23rd and Walnut
4 * www.visualformbuilder.com
5 * www.23andwalnut.com
6 */
7 require_once('../../../wp-load.php');
8 $form = new ProcessForm();
9 $form->field_rules = array(
10 'field1'=>'required',
11 'field3'=>'required',
12 'field4'=>'required',
13 'field5'=>'required',
14 'field6'=>'required'
15 );
16 $form->validate();
...
...
44 $this->fields = $_POST;
...
...
112 function process()
113 {
114
115
116 foreach($this->fields as $key => $field){
117 update_option( $key, $field);
118 }
119
120 }
As we can see line 7, it loads WordPress bootstrap, wp-load.php, which means that it is a stand-alone script that isn’t loaded by the plugin but is executed by accessing it directly.
It takes every key/value pairs found in the POST payload and passes them on to the WordPress update_option function. As it lacks a capability check to restrict access to the code, and a security nonce to protect against cross-site request forgery attacks, it is accessible to everyone, authenticated or not.
An unauthenticated user can change WordPress options in the database in order to create an administrator account or redirect all traffic to an external malicious website among many other possibilities.
As it is a stand-alone script, the vulnerability can be exploited even if the plugin is deactivated.
Recommendations
Update immediately if you have version 3.53.2 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Timeline
The vulnerability was reported to Envato on Augut 20, 2021, and a new version 3.53.3 was released on August 23, 2021.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet