Versions <=2.8.0 of the Ajax-load-more WordPress plugin rely upon an admin nonce for access control to functionality that allows the uploading of PHP templates. The plugin places the URL and admin nonce on the page source of the dashboard of every logged in user. Non-admin users are able to use this URL and admin nonce with the alm_save_repeater action to upload arbitrary PHP code. This PHP code is accessible while logged out of WordPress, allowing remote code execution (RCE) PHP or reverse PHP shell.
Exploitation
Stages
- The attacker logs in to WordPress with non-admin user credentials.
- The attacker reads the Ajax-load-more nonce from index.php and uses it in an HTTP POST request to /wp-admin/admin-ajax.php with PHP code as data.
- The attacker is able to access and execute uploaded PHP code without being logged in to WordPress, achieving RCE.
Prerequisites
- The attacker must have the ability to log into the WordPress site as a user with any role.
- The attacker could request a subscriber account and use this to gain access and launch the attack.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.
Comments
0 comments
Please sign in to leave a comment.