WordPress Ape Gallery plugin fixed authenticated arbitrary plugin deactivation vulnerability.

The WordPress Ape Gallery plugin (6,000+ active installations) fixed a vulnerability in version 2.0.6 and below that could allow an authenticated user to deactivate any plugins on the blog.

Authenticated Plugin Deactivation

In the “gallery-images-ape/libs/modules/setup/setup.class.php” script, the plugin loads the ape_gallery_setup function via the WordPress AJAX API:

add_action('wp_ajax_ape_gallery_setup',	array($this, 'ape_gallery_setup') );
...
...
public function ape_gallery_setup(){

   if( isset( $_POST['plugin'] ) )
      deactivate_plugins( $_POST['plugin'] );
...
...

It passes the $_POST['plugin'] user input to the WordPress deactivate_plugins function without checking the user capabilities, hence allowing an authenticated user such as a subscriber to deactivate any plugins on the blog.

Timeline

The vulnerability was reported to the wordpress.org team on December 09, 2019 and version 2.0.7 was released on December 26, 2019.

Recommendations

Update as soon as possible if you have version 2.0.6 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet