WP-Invoice < 4.1.1 Multiple Security Vulnerabilities

The WP-Invoice plugin from Usability Dynamics, Inc. contains several security vulnerabilities. The wordpress.org stats claim there are 5,000+ active installs, so this is not a highly used plugin but anything that is related to billing/invoices always puts me on edge. If you use this plugin I encourage you to update immediately.

I only evaluated the free version of this plugin and did not look at any of their paid add-ons for vulnerabilities. I discovered three issues that were accessible to unauthenticated users and one issue that required a valid WordPress account.

Unauthorized Setting Changes

Inside class_core.php the function admin_init() gets hooked to the ‘admin_init’ WordPress action which is called when the admin files are loaded, not just when an account with administrator access is used.

Inside this function it takes user input and without verification updates the sites settings. This merges in the existing settings so by passing individual settings only those can be updated. This allows changing settings like the emailed templates, paypal email address, and various other scary parts.

wpinvoice_admin_init

Retrieving invoices of arbitrary users

I’m not sure this is the most critical of the flaws, but it does allow release of sensitive data and the invoice numbers can be used in the next vulnerability.

Here we have AJAX actions registered for logged in and not logged in users.

wpinvoice_load_invoices

Upon first glance I thought this would allow only the current users invoices to be loaded.

wpinvoice_load_invoices1

Upon further examination if the user is logged in then their invoice will be loaded, but if the user is not logged in $_GET[‘wpi_user_id’] can be passed containing a WordPress numeric user_id.

wpinvoice_load_invoices2

Updating previously invoiced users meta data

Through the magic of unauthenticated AJAX the ‘wpi_gateway_process_payment’ actions can be called.

wpinvoice_process_payment

The wpi_gateway_base::process_payment() function takes user input in order to call the process_payment() function in various payment gateway handlers.

wpinvoice_process_payment1

In this case the ‘wpi_paypal’, ‘wpi_interkassa’, and ‘wpi_twocheckout’ all allow this to happen. Below I’ll only show the ‘wpi_paypal’ variation. This allows various type of the users meta data to be updated and if their CRM plugin is installed any of the attributes that are used in there can be updated.

wpinvoice_process_payment2

Privilege escalation of logged in users

Through the ‘wpi_update_user_option’ AJAX action, a logged in user can pass arbitrary ‘meta_key’ and ‘meta_value’ that gets updated for their account. Many of these options are accessible to the user via their profile, but typically a user should not be able to modify their ‘wp_capabilities’ or other potentially dangerous fields.

wpinvoice_update_option

Timeline

  • 1/15/2016 11:28am Initial contact email sent
  • 1/18/2016 3:14am Contact information received
  • 1/19/2016 11:58am Full disclosure email sent
  • 1/29/2016 6:23am Vendor responded saying issues were resolved in latest release

 

WordPress Download Manager < 2.8.8 Critical Security Vulnerabilities

I discovered that the WordPress Download Manager contains some very serious security vulnerabilities. The free version available on wordpress.org claims to have 80,000+ active installs (as of 1/19/2016), the company also sells a pro version that has an unknown number of installs.

There are multiple different vulnerabilities in the plugin, I do not have access to the pro version so I can not verify if all of the vulnerabilities are resolved or if there are additional similar vulnerabilities.

Unauthenticated Directory listings

The wpdm_dir_tree() function is called during the ‘init’ action and without any authorization checks preventing it from working. A user can pass the HTTP GET variable ‘task=wpdm_dir_tree’ and the HTTP POST variable ‘dir’ containing a directory and the server will return a listing of the files in that directory.

wpdm_dirlist1

Unauthenticated post updating

The savePackage() function gets called by the ‘wp’ action, there are lots of fun things you can do with this function and none of it requires any type of authorization. I won’t spell out exactly what you need to do but it’s quite simple to use this to associate any file on the filesystem with a post.

wpdm_savepackage

Later in the function it takes arbitrary user data and updates the post meta for a specific post.

wpdm_savepackage1

Then someone can use the WPDM builtin capabilities to download a file associated with a specific post. I was able to use this mechanism to download arbitrary files from the host.

Privilege Escalation

This last piece requires you have a valid account on the WordPress host, though if registration is enabled on the host the WPDM plugin makes it even easier to create an account. Through the magic of the extract($_POST) function a user can pass in any of the parameters that get sent to the wp_update_user() WordPress function. Many of these options the user can usually change via their profile settings, but the ‘role’ is usually one that should only be adjusted by the Administrator.

wpdm_updateprofile

The extract function needs to be used very carefully (if at all), especially when passing in an array of user supplied data (like $_POST, $_GET, $_REQUEST, etc.).

Timeline

  • 1/10/2016 Initial contact via webform to determine contact information
  • 1/11/2016 11:51am Contact address received
  • 1/11/2016 1:38pm Initial full disclosure
  • 1/11/2016 2:45pm Additional information discovered and disclosed
  • 1/11/2016 10:15pm Updated version released that did not completely resolve issue
  • 1/12/2016 Vendor released new versions and posted blog

Simple Download Monitor 3.2.8 Security Vulnerability

The WordPress plugin Simple Download Monitor has a few security vulnerabilities that allows unauthenticated users to list all uploaded files, delete thumbnails associated with them, and uploaded files with password protection can be download without entering a password.

As of 1/19/2016 the wordpress.org information says there are 10,000+ active installs of this plugin.

The vendor Tips and Tricks HQ has released version 3.2.9 to resolve this issue.

List all uploaded files

Unauthenticated AJAX allows any user to access the ‘sdm_tiny_get_post_ids’ action which will return a JSON encoded list of all ‘post_id’ and ‘post_title’ that were uploaded with the Simple Download Monitor plugin. In many cases these files are publicly visible already so this isn’t a major security issue in most cases.

sdm_ajax_list

Delete thumbnails

Unauthenticated AJAX calls again allow any unauthenticated user to delete thumbnail images that were added using this plugin via the ‘sdm_remove_thumbnail_image’ action.

sdm_ajax_delete

Download files without password protection

This is the biggest security issue here, they do provide an AJAX command that verifies the post password to allow downloading the file but there is also this backdoor method to access the file that can be used without any password verification. Though the access is logged if logging is enabled.

sdm_view_init

Early on by the ‘init’ action the handle_sdm_download_via_direct_post() function is called. Which then takes the supplied ‘download_id’ and retrieves the post containing a file.

sdm_download_part1

After the bit of logging it finally happily redirects the user to the proper download URL.

sdm_download_part2

One additional note, these files are not actually password protected, just the posts that contain them. So if someone has the direct URL to a file they can download it without any further authorization.

It’s always wise to ensure that any request is properly authorized.

Timeline

  • 1/12/2016 2:16pm Initial contact email sent to find appropriate security/developer contact
  • 1/12/2016 10:16pm Vendor responds with contact information
  • 1/13/2016 10:16am Complete disclosure sent
  • 1/14/2016 7:31pm Vendor reply stating they are working on issue and requested more information
  • 1/16/2016 7:37pm Vendor reply stating a new version has been released