Make WordPress Core

Opened 2 years ago

Last modified 2 years ago

#56729 new defect (bug)

Vulnerability in plugin update notification (impersonation of plugins with possible RCE)

Reported by: sylm87's profile sylm87 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Plugins Keywords: has-screenshots close
Focuses: administration Cc:

Description

During the development of a private plugin (not uploaded to the WordPress market https://es.wordpress.org/plugins/) with our own metadata, we noticed that the WordPress plugin update notification system informs us that an update is available for our plugin, how is this possible?

Well, the only explanation for this is that the update review system is based solely on the plugin's folder name, ignoring any authorship metadata and project URIs.

To make sure that the update system is evidently ignoring any data in the plugin's metadata, we proceed to download it (the plugin). This confirms our suspicions, the update system is only governed by the name of a directory.

Due to this lack of security in the metadata check, the only solution so far is to never activate the auto-update and to manually check each update.

If you click on the "update now" link, the system will install the possible malicious plugin without any confirmation.

Criticality:
HIGH [8.8] - Exploitation of this vulnerability would affect the server in remote code execution (RCE) mode. It is downgraded from critical to high because it requires human action on plugin configuration.
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected environments:
All installations with custom plugins that are not in the official WordPress marketplace.
Aggravated if the unattended updater is accidentally activated.
If a maintenance technician is unaware of the custom plugin development and hits the update button.

Conclusion:
As there is no signature checking system in the plugin update review system, there is a possibility of impersonation of our plugin if an attacker created a plugin in the official market with the same name as the directory of our custom plugin, being able to execute remote code on our server.

Temporary solution:
Disable the automatic update systems and generate plugin page with a <name X> so that no one can get to take that name to perform the impersonation.

Having today as a warning, process to request a CVE ID for the formal vulnerability write-up.

Change History (1)

#1 @audrasjb
2 years ago

  • Keywords close added; needs-patch removed
  • Severity changed from critical to normal
  • Version 6.0.2 deleted

Hello,

Thank you for opening this ticket and welcome to WordPress Core Trac.

First, you should have read the message concerning security issues when you submitted this ticket: please do not report security issues here, but rather report them on the WordPress Hackerone program.

By the way, the issue raised in this ticket was fixed a while ago. You're simply "doing it wrong" :)
You should use the Update URI header introduced in WordPress 5.8.
For more information: https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Last edited 2 years ago by audrasjb (previous) (diff)
Note: See TracTickets for help on using tickets.