WordPress.org

Make WordPress Core

Opened 9 months ago

Last modified 2 weeks ago

#46705 new feature request

Harden WP core against "update option" endpoint vulnerabilities

Reported by: tsewlliw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.2
Component: Options, Meta APIs Keywords:
Focuses: Cc:
PR Number:

Description

A fairly frequent problem is plugins failing to perform nonce and permission checks on endpoints servicing their admin pages. Following discovery of such a vulnerability it is usually very straightforward for an attacker to perform a large scale attack defacing or establishing persistent administrative access by modifying the options siteurl, default_role, users_can_register, and likely more.

I propose that all updates to these selected critical options in a web context warrant validating there has been a nonce verification and the current user has the capability to manage_options. This would force an attacker to follow a more difficult exploit path, potentially preventing large scale exploitation of these issues.

The goal I have in mind here is not to be bulletproof, just to defend against a seemingly common bug class.

Attachments (1)

safe-option-updates.php (1019 bytes) - added by tsewlliw 4 months ago.
PoC as an mu-plugin

Download all attachments as: .zip

Change History (2)

@tsewlliw
4 months ago

PoC as an mu-plugin

#1 @ottok
2 weeks ago

Hackers who find out a SQL injection often make users_can_register=1 and default_role=administrator (exampe https://www.slideshare.net/ottokekalainen/how-to-investigate-and-recover-from-a-security-breach-in-wordpress#29).

This issue is about nonces, which don't apply to SQL injections. My suggestion is to focus efforts on making the values of administrator and editor for default_role forbidden to begin with to close this avenue of security breaches. See https://core.trac.wordpress.org/ticket/43936#comment:12

Note: See TracTickets for help on using tickets.