The WordPress Sparkling theme, which has 30,000+ active installations, fixed a unauthenticated function injection vulnerability affecting version 2.4.8 and below.
Unauthenticated Function Injection
CVSS v3.1: 7.3 (High)
The vulnerability is identical to the one we reported on October 1st, 2020, that was affecting 15 themes using the Epsilon framework.
In the “inc/libraries/epsilon-framework/class-epsilon-framework.php” script, Sparkling uses the same unauthenticated epsilon_framework_ajax_action AJAX action:
add_action( 'wp_ajax_nopriv_epsilon_framework_ajax_action', array( $this, 'epsilon_framework_ajax_action', ) );
An unauthenticated user can perform a function injection attack.
The impact of such vulnerability is difficult to rate because it depends on what plugins are installed on the website, but it could be used to perform some critical attacks. For instance, if popular plugins such as WooCommerce or Jetpack (5+ million installations each) are installed, an unauthenticated attacker can delete all products of the former and drop its tables in the database, or delete the configuration of the latter and disable its security modules.
Timeline
The vulnerability was discovered and reported to the authors on October 2019, and then escalated to the wordpress.org themes team on March and August 2020. It was eventually fixed on February 9, 2022.
Recommendations
Update immediately if you have version 2.4.8 or below installed. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet