Login
5 Apr 2023

WP Engine’s New WordPress Plugin Contains CSRF Vulnerability

From what we have seen, WP Engine has a reputation for having a good handle on security, despite having a bad track record going back many years. In line with that track record, we found that the WordPress plugin they released on the WordPress Plugin Directory last week, Pattern Manager, lacks a basic security check leading to a minor vulnerability.

In the file /wp-modules/editor/model.php, the plugin registers for the function redirect_pattern_actions() to be accessible to even those not logged in to WordPress:

235

add_action( 'admin_init', __NAMESPACE__ . '\redirect_pattern_actions' );

The function exits if the request is coming from someone who doesn’t have the “manage_options” capability, which would normally only be Administrators:

185
186
187
188
189
190
191
192

function redirect_pattern_actions() {
	if ( get_pattern_post_type() !== filter_input( INPUT_GET, 'post_type' ) ) {
		return;
	}
 
	if ( ! current_user_can( 'manage_options' ) ) {
		return;
	}

There should then be a nonce check to prevent cross-site request forgery (CSRF) before the code takes other actions, but that isn’t there:

194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234

	if ( 'edit-pattern' === filter_input( INPUT_GET, 'action' ) ) {
		$new_post = wp_insert_post(
			[
				'post_type'   => get_pattern_post_type(),
				'post_name'   => sanitize_text_field( filter_input( INPUT_GET, 'name' ) ),
				'post_status' => 'publish',
			]
		);
 
		wp_safe_redirect(
			get_edit_post_link( $new_post, 'direct_link' )
		);
	}
 
	if ( 'duplicate' === filter_input( INPUT_GET, 'action' ) ) {
		$pattern_to_duplicate  = get_pattern_by_name( sanitize_text_field( filter_input( INPUT_GET, 'name' ) ) );
		$duplicate_pattern_ids = get_duplicate_pattern_ids( $pattern_to_duplicate['name'], get_theme_patterns() );
		if ( ! $duplicate_pattern_ids ) {
			return;
		}
 
		$new_pattern = array_merge(
			$pattern_to_duplicate,
			$duplicate_pattern_ids
		);
 
		update_pattern( $new_pattern );
 
		$new_post = wp_insert_post(
			[
				'post_type'   => get_pattern_post_type(),
				'post_name'   => $new_pattern['name'],
				'post_status' => 'publish',
			]
		);
 
		wp_safe_redirect(
			get_edit_post_link( $new_post, 'direct_link' )
		);
	}
}

That code allows creating a new pattern or duplicating existing patterns. Without the CSRF protection, an attacker could cause a logged in Administrator to take those actions. That isn’t a big concern, unless it could be combined with some other issue, but CSRF protection is a really basic element of securing a WordPress plugin and it is missing.

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

The following proof of concept will create new pattern post with the name proofofconcept , when logged in to WordPress as an Administrator. That isn’t shown on the plugin’s admin page, but can be seen in the database.

Replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-post.php?post_type=pm_pattern&action=edit-pattern&name=proofofconcept

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Plugin Security Scorecard Grade for Pattern Manager

Checked on September 18, 2024
C

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *