Opened 6 years ago
Last modified 5 years ago
#46705 new feature request
Harden WP core against "update option" endpoint vulnerabilities
Reported by: | tsewlliw | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.2 |
Component: | Options, Meta APIs | Keywords: | |
Focuses: | Cc: |
Description
A fairly frequent problem is plugins failing to perform nonce and permission checks on endpoints servicing their admin pages. Following discovery of such a vulnerability it is usually very straightforward for an attacker to perform a large scale attack defacing or establishing persistent administrative access by modifying the options siteurl
, default_role
, users_can_register
, and likely more.
I propose that all updates to these selected critical options in a web context warrant validating there has been a nonce verification and the current user has the capability to manage_options. This would force an attacker to follow a more difficult exploit path, potentially preventing large scale exploitation of these issues.
The goal I have in mind here is not to be bulletproof, just to defend against a seemingly common bug class.
Attachments (1)
Change History (2)
#1
@
5 years ago
Hackers who find out a SQL injection often make users_can_register=1 and default_role=administrator (exampe https://www.slideshare.net/ottokekalainen/how-to-investigate-and-recover-from-a-security-breach-in-wordpress#29).
This issue is about nonces, which don't apply to SQL injections. My suggestion is to focus efforts on making the values of administrator and editor for default_role forbidden to begin with to close this avenue of security breaches. See https://core.trac.wordpress.org/ticket/43936#comment:12
PoC as an mu-plugin