WordPress.org

Make WordPress Core

Opened 7 months ago

#46705 new feature request

Harden WP core against "update option" endpoint vulnerabilities

Reported by: tsewlliw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2
Component: Options, Meta APIs Keywords:
Focuses: Cc:
PR Number:

Description

A fairly frequent problem is plugins failing to perform nonce and permission checks on endpoints servicing their admin pages. Following discovery of such a vulnerability it is usually very straightforward for an attacker to perform a large scale attack defacing or establishing persistent administrative access by modifying the options siteurl, default_role, users_can_register, and likely more.

I propose that all updates to these selected critical options in a web context warrant validating there has been a nonce verification and the current user has the capability to manage_options. This would force an attacker to follow a more difficult exploit path, potentially preventing large scale exploitation of these issues.

The goal I have in mind here is not to be bulletproof, just to defend against a seemingly common bug class.

Attachments (1)

safe-option-updates.php (1019 bytes) - added by tsewlliw 2 months ago.
PoC as an mu-plugin

Download all attachments as: .zip

Change History (1)

@tsewlliw
2 months ago

PoC as an mu-plugin

Note: See TracTickets for help on using tickets.