The WordPress Search Exclude plugin, which has 30,000+ active installations, was prone to two vulnerabilities that could allow anyone to change its settings in version 1.2.2 and below.
Reference
CVE-2019-15895
Unauthenticated settings change via admin_init
In the main “search-exclude.php” script, line 40, the plugin registers the saveOptions function via the admin_init hook:
add_action('admin_init', array($this, 'saveOptions') );
The function, located lines 297-304, lacks capability check and a security nonce:
public function saveOptions()
{
if (isset($_POST['search_exclude_submit'])) {
$excluded = $_POST['sep_exclude'];
$this->saveExcluded($excluded);
}
}
Because the admin_init hook can be triggered by anyone, as we have seen in the Ocean Extra and Easy WP SMTP plugins vulnerability reports, an unauthenticated user can change the settings of the plugin.
Authenticated settings change via AJAX
Line 56, the plugin registers the saveBulkEdit function via the wp_ajax_* hook:
add_action('wp_ajax_search_exclude_save_bulk_edit', array($this, 'saveBulkEdit'));
The function, located lines 141-148, lacks capability check and a security nonce, allowing an authenticated user, such as a subscriber, to change the settings via WordPress AJAX API:
public function saveBulkEdit()
{
$postIds = !empty($_POST['post_ids']) ? $_POST[ 'post_ids' ] : false;
$exclude = isset($_POST['sep_exclude']) && '' !== $_POST['sep_exclude'] ? $_POST[ 'sep_exclude' ] : null;
if (is_array($postIds) && null !== $exclude) {
$this->savePostIdsToSearchExclude($postIds, $exclude);
}
}
Timeline
The vulnerability was discovered and reported to the wordpress.org team on August 30, 2019.
Recommendations
Update as soon as possible if you have version 1.2.2 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet