Unauthenticated options import vulnerability in WordPress Ultimate FAQ plugin.

The WordPress Ultimate FAQ plugin, which has 30,000+ active installations, was prone to an unauthenticated options import vulnerability in version 1.8.24 and below that could lead to content injection.

Reference

CVE-2019-17232, CVE-2019-17233

Unauthenticated options import

In the “Functions/EWD_UFAQ_Import.php” script, the EWD_UFAQ_Import_From_Spreadsheet function is used to import posts/FAQs from a spreadsheet:

function EWD_UFAQ_Import_From_Spreadsheet() {
...
...
/* Make sure that the file exists */
 elseif (empty($_FILES['FAQs_Spreadsheet']['tmp_name']) || $_FILES['FAQs_Spreadsheet']['tmp_name'] == 'none') {
         $error = __('No file was uploaded here..', 'ultimate-faqs');
 }
 /* Move the file and store the URL to pass it onwards*/
 /* Check that it is a .xls or .xlsx file */
 if(!isset($_FILES['FAQs_Spreadsheet']['name']) or (!preg_match("/\.(xls.?)$/", $_FILES['FAQs_Spreadsheet']['name']) and !preg_match("/\.(csv.?)$/", $_FILES['FAQs_Spreadsheet']['name']))) {
     $error = __('File must be .csv, .xls or .xlsx', 'ultimate-faqs');
 }
 else {
      $filename = basename( $_FILES['FAQs_Spreadsheet']['name']);
      $filename = mb_ereg_replace("([^\w\s\d\-_~,;\[\]\(\).])", '', $filename);
      $filename = mb_ereg_replace("([\.]{2,})", '', $filename);

      //for security reason, we force to remove all uploaded file
      $target_path = ABSPATH . "wp-content/plugins/ultimate-faqs/faq-sheets/";
      //plugins_url("order-tracking/product-sheets/");

      $target_path = $target_path . $filename;

      if (!move_uploaded_file($_FILES['FAQs_Spreadsheet']['tmp_name'], $target_path)) {
      //if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
            $error .= "There was an error uploading the file, please try again!";
      }
      else {
              $Excel_File_Name = $filename;
      }
 }

The function lacks capability check and a security nonce, allowing an unauthenticated user to import a CSV file and create new posts on the blog with mixed HTML content (links, formatted text, local or remote media files):

Unauthenticated options export

Because they lack capability check too, the EWD_UFAQ_Export_To_Excel and EWD_UFAQ_Export_To_PDF functions from the “Functions/EWD_UFAQ_Export.php” script allow an unauthenticated attacker to export all posts/FAQs in CSV or PDF format. Although the impact of this action seems low, it is important to note that password-protected posts/FAQs will be exported as well.

Timeline

A new version 1.8.25 was released on September 18, 2019.

Recommendations

Update as soon as possible if you have version 1.8.24 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet