Flaws in WordPress Plug-In Put 3 Million Websites at RiskExploitation May Have Exposed REST-API Endpoints on Sites
Security researchers have discovered two severe vulnerabilities in a popular WordPress SEO plug-ins used by more than 3 million website owners. If left unpatched, the vulnerabilities could enable an attacker to take advantage of a privilege-escalation bug and an SQL-injection problem.
The two vulnerabilities are in All in One SEO, which was launched in 2007 and is used by WordPress website owners to ensure their websites rank higher in search engines.
When paired, they can become an exploit chain that could allow an attacker to take over the websites - if the attacker has an account on the website, which can simply be a subscriber account.
"WordPress websites by default allow any user on the web to create an account. By default, new accounts are ranked as 'subscriber' and do not have any privileges other than writing comments," the researchers at Sucuri say.
These vulnerabilities allow subscribers to have more privileges than they were intended to have and when exploited in tandem, the security flaws allow an attacker to take over an unpatched WordPress website, the researchers say.
Analysis of Vulnerabilities
Marc Montpas, a security research engineer at Automattic, first detected the SQL injection vulnerability and the privilege-escalation bug during an internal audit of the All In One SEO plug-in.
"If exploited, the SQL injection vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). The privilege-escalation bug we discovered may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites," Montpas says.
He says the researchers reported the vulnerabilities to the plug-in’s author via email, and the author recently released version 18.104.22.168 to address them.
Researchers at Sucuri did an in-depth analysis of these vulnerabilities and found that the first issue with this plug-in, which affects versions 4.0.0 and 22.214.171.124 of All in One SEO, can be exploited simply by changing a single character of a request to uppercase.
"This plug-in has access to a number of REST API endpoints but performs a permission check before executing any commands sent. This ensures that the user has proper permissions to instruct the plug-in to execute commands. However, All in One SEO did not account for the subtle fact that WordPress treats these REST API routes as case-insensitive strings. Changing a single character to uppercase would bypass the authentication checks altogether," the researchers say.
When exploited, this vulnerability can overwrite certain files within the WordPress file structure, giving backdoor access to any attacker, which would allow website takeover and could elevate the privileges of subscriber accounts into admins.
The second vulnerability is present in versions 126.96.36.199 and 188.8.131.52 of the plug-in. The endpoint is not intended to be accessible by low-level accounts, but with the previous authenticated privilege escalation vulnerability, the attackers can execute SQL commands to leak sensitive data from the database, including user credentials and admin information.
"The appeal of WordPress is its flexibility in purpose as well as its ease of setup and use. But, just like any software, its developers, and those that make WordPress components, such as plug-ins and templates, will make mistakes. This leads to vulnerabilities being introduced in a user's website. Because of this, it is important for users to look holistically at their WordPress environment and incorporate security at each component. This includes server, network and application layers," says, Leo Pate, managing consultant at application security provider nVisium.
"While the requirements for an exploit chain do offer some level of immunity for most users of this plug-in, website owners simply cannot rely on that as a form of protection. Every single plug-in vulnerability drives home the need for website owners to use a good security plug-in, set up a web application firewall, and most importantly, to enable WordPress auto-updates for plug-ins, themes, and core, as well as ensuring their now-fully-up-to-date website is backed up regularly," says Yehuda Rosen, senior software engineer at application security provider nVisium.
The researchers recommend that all sites be updated to the latest, patched versions of the plug-in.
Rosen also says website administrators should protect and harden their sites to prevent having to perform cleanup in the aftermath of a hack.
Rising Plug-In Menace
Earlier this month, security firm Wordfence Security identified a massive wave of ongoing attacks against more than 1.6 million WordPress sites. The report said more than 13.7 million different attack attempts had been made over a 36-hour period, and all of them were focused on exploiting four different WordPress plug-ins and several Epsilon framework themes.
That attack campaign, which originated from more than 16,000 different IP addresses, made it possible for attackers to take over vulnerable sites through the use of arbitrary option updating (see: Massive Attack Targets 1.6 Million WordPress Sites).
In October, Wordfence researchers warned that a WordPress plug-in installed in more than 1 million websites was vulnerable to high-severity bugs.
In March, Wordfence researchers reported that a WordPress plug-in called Tutor LMS had several vulnerabilities associated with the unprotected Ajax endpoints. These flaws were later patched (see: WordPress LMS Tutor Plug-In Flaws Patched).