Post Grid WordPress Plugin Flaws Allow Site Takeovers

Post Grid WordPress Plugin Flaws Allow Site Takeovers

Team Showcase, a sister plugin, is also vulnerable to the XSS and PHP object-injection bugs — together they have 66,000 installs.

Two high-severity vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, opens the door to site takeovers, according to researchers. To boot, nearly identical bugs are also found in Post Grid’s sister plug-in, Team Showcase, which has 6,000 installations.

The issues are a cross-site scripting (XSS) flaw as well as a PHP object-injection issue. Both bugs are pending CVE numbers, and both are high-severity, rating 7.5 out of 10 on the CvSS vulnerability rating scale.

Post Grid, true to its name, allows users to display their posts in a grid layout; meanwhile, Team Showcase offers a way to easily highlight an organization’s team members. Both allowed the import of custom layouts, and used nearly identical – and vulnerable – functions for doing so, according to Ram Gall, researcher with Wordfence.

The XSS bug would allow an attacker to supply a source parameter pointing to a crafted malicious payload hosted elsewhere. The function would then open the file containing the payload, decode it and create a new page layout based on its contents.

“The created layout included a custom_scripts section, and an attacker could add malicious JavaScript to the custom_css portion of this section,” explained Gall, in a posting on Monday. “This would then be executed whenever an administrative user edited the layout or a visitor visited a page based on the layout.”

The upshot is that attackers could use the malicious JavaScript to add a malicious administrator, add a backdoor to plugin or theme files, or steal the administrator’s session information – all of which are paths to complete takeover of a site.

Triggering an exploit is also somewhat trivial.

“In both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name,” Gall explained.

The second issue, the PHP object-injection bug, arises in the import function because it unserialized the payload supplied in the source parameter. An attacker could therefore execute arbitrary code, delete or write files, or perform any number of other actions which could lead to site takeover.

To trigger the flaw, “an attacker could craft a string that would be unserialized into an active PHP object,” Gall explained. “Although neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object injection could be used by an attacker.”

Both vulnerabilities would typically require the attacker to have an account with at least subscriber level privileges – but there’s a loophole.

“However, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers,” Gall added.

The plugins’ developer, PickPlugins, has issued patches, so web admins should upgrade as soon as possible. The fixed versions are Post Grid v. 2.0.73 and Team Showcase v. 1.22.16.

These are the latest in the line of faulty WordPress plugins that have come to light this year. In September, a high-severity flaw in the Email Subscribers & Newsletters plugin by Icegram was found to affect more than 100,000 WordPress websites.

vulnerabilities web security cross site scripting high severity php object injection plugin post grid security vulnerability site takeover team showcase wordpress xss

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Newsletter WordPress Plugin Opens Door to Site Takeover

An XSS bug and a PHP object-injection vulnerability are present in a plugin used by hundreds of thousands of websites.

How to Find Ulimit For user on Linux

Explains how to find ulimit values of currently running process or given user account under Linux using the 'ulimit -a' builtin command.

MEAN Stack Tutorial MongoDB ExpressJS AngularJS NodeJS

MEAN Stack Tutorial MongoDB ExpressJS AngularJS NodeJS - We are going to build a full stack Todo App using the MEAN (MongoDB, ExpressJS, AngularJS and NodeJS). This is the last part of three-post series tutorial.

CentOS Linux 8.2 Released and Here is How to Upgrade it

CentOS Linux 8.2 (2004) released. This release adds corrections for security issues based upon RHEL 8.2 souce and here is how to upgrade it.

How to configure AWS SES with Postfix MTA

Amazon Simple Email Service (SES) is a hosted email service for you to send and receive email using your email addresses and domains. Typically SES used for sending bulk email or routing emails without hosting MTA. We can use Perl/Python/PHP APIs to send an email via SES. Another option is to configure Linux or Unix box running Postfix to route all outgoing emails via SES. Before getting started with Amazon SES and Postfix, you need to sign up for AWS, including SES. You need to verify your email address and other settings. Make sure you create a user for SES access and download credentials too.