weDevs, the developer of the popular WP Project Manager plugin for WordPress, has released a security patch to address a privilege escalation vulnerability.
The vulnerability, which was first reported by Wordfence, allows authenticated attackers to grant themselves administrative privileges by updating user metadata.
WP Project Manager plugin is a task, project, and team management tool for WordPress. Upon closer examination of the code, the researcher team sees that there is an API endpoint, the ‘save_users_map_name’ function, which updates a user’s GitHub and bitbucket username.
public function save_users_map_name( WP_REST_Request $request ) {
$usernames = $request->get_params();
foreach ( $usernames['usernames'] as $username_key => $username_value ) {
$username_key_array = explode( '_', $username_key );
if ( in_array( 'github', $username_key_array, true ) || in_array( 'bitbucket', $username_key_array, true ) ) {
$user_meta_id = $username_key_array[1];
$user_meta_key = $username_key_array[0];
$user_meta_value = ! empty( $username_value ) ? sanitize_text_field( $username_value ) : '';
update_user_meta( $user_meta_id, $user_meta_key, $user_meta_value );
}
}
}The most significant problem and vulnerability is caused by the way the explode() and in_array() functions are used to ensure that only the ‘github’ and ‘bitbucket’ meta values can be updated. Unfortunately, these functions are not sufficient to prevent exploitation, because they can be bypassed with a special character, known as a homoglyph, that acts like an underscore, however, won’t be properly “exploded” but will be saved in the database as a proper underscore.
This made it possible for authenticated users, such as subscribers, to supply the ‘wp_capabilities’ array parameter with any desired role, such as administrator, when updating what should be username metadata, which would grant the user access to capabilities based on that role.
As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.
weDevs has released a security patch for this vulnerability, which is available in version 2.6.5 of the WP Project Manager plugin. Users are advised to update to the latest version of the plugin as soon as possible.
