Morioh
Login
Wilford Pagac

Wilford Pagac

3 years ago

Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. To boot, nearly identical bugs are also found in Post Grid’s sister plug-in, Team Showcase, which has 6,000 installations.

The issues are a cross-site scripting (XSS) flaw as well as a PHP object-injection issue. Both bugs are pending CVE numbers, and both are high-severity, rating 7.5 out of 10 on the CvSS vulnerability rating scale.

Post Grid, true to its name, allows users to display their posts in a grid layout; meanwhile, Team Showcase offers a way to easily highlight an organization’s team members. Both allowed the import of custom layouts, and used nearly identical – and vulnerable – functions for doing so, according to Ram Gall, researcher with Wordfence.

The XSS bug would allow an attacker to supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it and create a new page layout based on its contents.

“The created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section,” explained Gall, in a posting on Monday. “This would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.”

The upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator’s session information – all of which are paths to complete takeover of a site.

Triggering an exploit is also somewhat trivial.

“In both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name,” Gall explained.

The second issue, the PHP object-injection bug, arises in the import function because it unserialized the payload supplied in the source parameter. An attacker could therefore execute arbitrary code, delete or write files, or perform any number of other actions which could lead to site takeover.

To trigger the flaw, “an attacker could craft a string that would be unserialized into an active PHP object,” Gall explained. “Although neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object injection could be used by an attacker.”

Both vulnerabilities would typically require the attacker to have an account with at least subscriber level privileges – but there’s a loophole.

“However, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,” Gall added.

The plugins’ developer, PickPlugins, has issued patches, so web admins should upgrade as soon as possible. The fixed versions are Post Grid v. 2.0.73 and Team Showcase v. 1.22.16.

These are the latest in the line of faulty WordPress plugins that have come to light this year. In September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.

#vulnerabilities #web security #cross site scripting #high severity #php object injection #plugin #post grid #security vulnerability #site takeover #team showcase #wordpress #xss

Post Grid WordPress Plugin Flaws Allow Site Takeovers

threatpost.com

Post Grid WordPress Plugin Flaws Allow Site Takeovers

Team Showcase, a sister plugin, is also vulnerable to the XSS and PHP object-injection bugs — together they have 66,000 installs.

3.05 GEEK