The WordPress Kiwi Social Sharing plugin (10,000+ active installations) fixed a critical vulnerability affecting version 2.1.0 that could allow unauthenticated users to read and modify WordPress options in the database.
Unauthenticated WordPress options change and read
Back in 2018, a critical vulnerability in the Kiwi Social Sharing plugin was actively exploited by hackers. It allowed an unauthenticated attacker to modify (and read) any WordPress option in the database in order, for instance, to create admin accounts by enabling registration and setting the user default role to administrator, or to modify the value of siteurl in order to redirect all traffic to an external malicious website. The vulnerability was fixed in version 2.0.11 released on November 12, 2018. However, while auditing plugins installed on a hacked WordPress site a few weeks ago, I noticed that the latest version of the plugin was prone to the same vulnerability again. After checking the plugin’s revision log, it appeared the security fix was undone in version 2.1.0 released on January 2021:
add_action( 'wp_ajax_kiwi_social_share_get_option', 'kiwi_social_share_get_option' );
add_action( 'wp_ajax_nopriv_kiwi_social_share_get_option', 'kiwi_social_share_get_option' );
add_action( 'wp_ajax_kiwi_social_share_set_option', 'kiwi_social_share_set_option' );
add_action( 'wp_ajax_nopriv_kiwi_social_share_set_option', 'kiwi_social_share_set_option' );
/**
*
*/
function kiwi_social_share_get_option() {
if ( !empty( $_POST ) && $_POST[ 'action' ] === 'kiwi_social_share_get_option' ) {
wp_die( json_encode( Kiwi_Social_Share_Helper::get_setting_value( $_POST[ 'args' ][ 'option' ], $_POST[ 'args' ][ 'default' ], $_POST[ 'args' ][ 'group' ] ) ) );
}
wp_die( 'Forbidden' );
}
function kiwi_social_share_set_option() {
if ( !empty( $_POST ) && $_POST[ 'action' ] === 'kiwi_social_share_set_option' ) {
$option = get_option( $_POST[ 'args' ][ 'group' ] );
$option[ $_POST[ 'args' ][ 'option' ] ] = $_POST[ 'args' ][ 'value' ];
update_option( $_POST[ 'args' ][ 'group' ], $option );
wp_die( 'Success' );
}
wp_die( 'Forbidden' );
}
Recommendations
Update immediately if you are using version 2.1.0. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you were already protected against this vulnerability.
Timeline
The vulnerability was reported to the WordPress Plugin Team on April 15, 2021 and a new version 2.1.3 was released on May 28.
Stay informed about the latest vulnerabilities
- Running WordPress? You can get email notifications about vulnerabilities in the plugins or themes installed on your blog.
- On Twitter: @nintechnet