Finding WordPress plugin vulnerabilities is like shooting fish in a barrel.
With nearly a quarter of all websites on the Internet using WordPress, penetration tests against WordPress are naturally a large part of our business. I looked at a way of more easily being able to find previously unidentified vulnerabilities within WordPress plugins to assist with our testing methodology and created a simple python application, zeropress.
Unlike more comprehensive static code analysis tools, zeropress attempts to find vulnerabilities by looking for simple patterns in files. For example, if a line of code contains something resembling HTML markup which is directly joined to a variable inside the $_GET array (containing request parameters) then there’s a reasonable chance that the line presents a cross site scripting (XSS) vulnerability. If a variable called “$sql” is being directly joined with a variable, there’s a good chance that the code is vulnerable to SQL injection (SQLi).
The most serious vulnerability that a web application can have is remote code execution (RCE) – allowing an attacker to run their own code on your web site. As with the XSS and SQLi checks, zeropress looks for function calls capable of executing code: exec, popen, passthru, etc. If these are being used with a variable then they are a good starting point for finding remote code execution vulnerabilities. If the offending line also contains a reference to the $_GET array then this could mean that users can supply input directly to the script in order for it to be executed on the server.
It was this sort of search created by zeropress that found a rogue line of code apparently accidentally left in the application path of the “Landing Pages” plugin which contained the following line:
[cpp]$result = shell_exec('phantomjs --web-security=false --ssl-protocol=any server.js ' . $_GET['url'] );[/cpp]
Other operating system commands can simply be appended to the “url” parameter in order for them to be executed by the web server.
Found in a script which was not protected by any authentication, this line presents unauthenticated operating system level access to any attacker who visits the site. This would result in not just the entire WordPress installation being compromised, but the web application server as well. If this code was present on a corporate web server hosted on domain infrastructure, it would offer an easy to achieve foothold on the internal network.
This issue was present in versions 1.8.8 to 1.9.0 of Landing Pages and has now been resolved in the current version. I strongly advise all users of the Landing Pages plugin to upgrade to version 1.9.2 or above.
This vulnerability shows that even by taking a “dumb” approach to finding security vulnerabilities, the WordPress plugin ecosystem can still readily provide examples of dangerous coding errors.
The zeropress script can be used to aid code analysis of plugins on a WordPress installation (or simply to find a new zero-day) and is available on Nettitude’s GitHub.
Vulnerability Timeline
- 2015-08-18 – Identified issue, notified plugin author and applied for CVE
- 2015-08-19 – Plugin author publishes fix for issue
- 2015-08-21 - CVE-2015-5227 assigned
- 2015-09-30 – Vulnerability publicly disclosed