7 Popular WordPress Plugins that Will Get Your Site Hacked

In the coming few weeks, a friend of mine and I will be running a set of seminars on infosec in preparation for Cactus Con. The last seminar of which we will basically doing hands on vulnerability training. I was charged with setting up the world’s most vulnerable wordpress install, which was almost as easy as installing wordpress itself. I decided that while I was setting up a wordpress install you could beat up, I might as well make a blog post about it, since most of the plugins that were vulnerable seemed to have been downloaded tens, of not hundreds of thousands of times!

(As a side note, this is all for research purposes, and I’m just trying to live my life, not hack the FBI)

Slider Revolution

Screen Shot 2015-02-05 at 1.53.37 PM

This is a paid Envato plugin that is included in practically every theme you buy from Themeforest. It makes obnoxious sliders on almost every site a little bit easier to make obnoxious. The attack was done the same way that most attacks are done with WordPress installs, by including some variables in the URL to grab something you’re not supposed to be able to grab. If you knew the site was running Slider Revolution all you had to do was go to your shiny address bar and type this in:

http://vulnerablesite.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

The wp-config file is one of the most important files in wordpress, it has database credentials, and FTP credentials, which means if an attacker gets this file, you’re hosed. This is a Local File Inclusion hack (LFI) and can be executed by hackers through a simple script that pings site with GET requests for that particular URL. This was discovered back in September but it is now February and I am still getting calls from people who have had their site compromised using this vulnerability. Envato is having a really hard time patching this bug.

More information about this vulnerability here

UpDraft Plus

Screen Shot 2015-02-05 at 1.54.07 PM

UpDraft is a backup solution for your wordpress site that takes your site and migrates it to the cloud, it’s pretty popular (Downloads: 1,812,770) and actually super convenient. On February 3rd, it was discovered that you can add an admin_action to the URL resulting in the plugin printing out the ‘updraftplus-credentialtest-nonce’ nonce which allows the attacker to print out the phpinfo() page which includes everything defined in the wp-config.php (database credentials…again).

http://vulnerablesite.com/wp-admin/admin.php?action=upgrade-plugin

This will give you the updraftplus-credentialtest-nonce (nonce is literally number used once, it is a method to protect yourself from malicious attackers, and is generated in the code to kind of verify that you’re who you say you are) and from there you can use the nonce generated to grab the credentials stored in the ajax handler and away you go!

http://vulnerablesite.com/wp-admin/admin.php?action=updraft_ajax_handler&nonce=xxxx

More Information about this vulnerability here

Fancybox for WordPress

Screen Shot 2015-02-05 at 1.54.39 PM

I have a few sites that use fancybox and also a few sites that got malware recently, correlation = causation? Apparently so. This was just reported today so I thought I’d mention it. It all started with this forum post

I was going to discuss how to actually inject malware into fancybox, but to gloss over it because apparently Fancybox isn’t interested in patching their plugin. To put it simply, it’s the same URL variable attack that you’ve been seeing

http://vulnerablesite.com/wp-admin/admin-post.php?page=fancybox-for-wordpress?action=update....

The update action will allow you to do a quick and easy injection of code into fancybox, this has been used for malware attacks in the past few days. (Edit: It seems like in the past two hours they have actually updated the plugin so it’s secure, so I might come back and finish writing out the attack.)

Please note that fancybox.js is not fancybox-for-wordpress, they’re totally different.

More information for this here

Easy Media Gallery

Screen Shot 2015-02-05 at 1.55.27 PM

Easy Media Gallery is such a gorgeous plugin, I use it a lot, and so do a lot of other people. It has had a whole host of vulnerabilities these past couple of years, most due to it’s administrative functions being open to literally everyone. The lack of nonces (which we discussed earlier) allows for any user to execute and escalate themselves to admin. The AJAX function opens itself up to attack, but it’s just one of many that you can use as an attack vector for a cross site scripting attack.

http://vulnerablesite.com/wp-admin/admin-post.php?action=wp_ajax_easymedia_imgresize_ajax?imgurl=executescriptyouwanthere

This was first reported here and there’s also a nice proof of concept script. I think this is patched, but seeing the history of this plugin, it’ll be a matter of months before yet another vulnerability is discovered.

WP Ultimate CSV Importer

Screen Shot 2015-02-05 at 1.55.55 PM

I grabbed this one because I absolutely hate these types of plugins. I can’t think of anything better to go after than a plugin that’s going to be mucking around in your database directly. Essentially, anyone under the sun can run the export script and get the entirety of your wordpress database with a simple POST to the export.php script for all of your users.

http://vulnerablesite.com/wp-content/plugins/wp-ultimate-csv-importer/modules/export/templates/export.php

is the URL you’ll want to request from and you’ll just pass a POST request for the following:

"export":"users"

It’ll return all the users and the hashed passwords back, this was patched unsuccessfully once, but it has been patched in the most recent version.

More info about this vulnerability here

All-In-One WP Security Plugin

Screen Shot 2015-02-05 at 1.56.27 PM

I think out of all the wordpress vulnerabilities, SQL Injections remain my favorite ones because they’re so common. It’s only been recently that Contact Forms have begun sanitizing queries, Contact Form 7 was for the longest time the biggest pain in my rear because you could easily drop the database with the Name field. This one is a little trickier, but I thought it was ironic because it’s a security plugin, so I’d include it. Essentially the All in One Security Plugin did not sanitize queries at all, which allowed the attacker to do a SQL Injection through a GET request.

http://vulnerablesite.com/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=

the orderby variable was not sanitized which allows you to inject directly into the database as long as you remember to convert your ASCII to HTML codes, which is a given.

More info about this here

WordPress Download Manager

Screen Shot 2015-02-05 at 1.57.00 PM

Another issue with anyone in the world being able to execute a sensitive function from within wordpress, this one’s developer is actually what made me think to include it. He’s hilarious.

Screen Shot 2015-02-05 at 12.51.06 PM

Okay so let’s talk about the vulnerability instead (but seriously, his responses to the one star reviews bring me life). There is a wpdm_ajax_call_exec() function and within the function they allow the POST to execute. Which means that any user can do whatever they want within the context of the ajax_call_exec function. This would allow us to generate the nonce required to execute higher admin functions. Once the nonce is generated, the attacker can do whatever he wants. The one securi mentioned was uploading a payload into the admin directory and executing it. Let’s walk through this super quick.

http://vulnerablesite.com/wp-admin/admin.php?action=wpdm_ajax_call&execute=maliciousfunctiongoeshere

Homelab.it did a nice Proof of Concept Script (and video) using this exploit to add a user to wordpress, so using this handy dandy exploit script you just run it against the target site.

python wp_download_manager_274_add_admin.py -t http://targetsite.com

and now you’re an admin on the target site!

What can I do to prevent my site from being hacked?

I did all this research for a workshop on h4xx0rs but honestly, keeping your plugins up to date, making sure your plugin developers respond to vulnerability requests and following some security resources is all you need. Plugins make great attack vectors because anyone can make them!

Definitely keep an eye on sucuri’s blog and Twitter I see their representatives crawling all over wordpress forums for the latest problems that anyone running a WordPress install might encounter.

This WordPress Vulnerability Database is definitely one I have on my RSS feed reader to keep on top of things.

WordPress is hella insecure, literally people laugh at me when I tell them a major part of my job is making sure my clients don’t get hacked. WordPress and Security have never been in the same sentence together, so it’s up to us as administrators on this monstrosity of a CMS to constantly be alert.

 

Edit: All of these bugs have been patched before I posted this article, it is illegal to report 0-days without giving the software creator/manufacturer notice and time to patch it before reporting. In all of the “Read More” links you can either see which version is patched to make sure the plugin on your install is patched, or when they expect to release it. 

21 Comments

  1. This article is great just for the featured image alone! Then it was also super informative and witty along the way. Then I found out at the end that you’re a “developer unicorn”!?!?! Mind blown! Great blog, will be following. Thanks!

  2. Cover image: mind blown!
    Working on admin-side ajax-y stuff, this article definitely made me try to be extra careful.
    Thanks!

  3. Wow, I never thought that all these plugins had these vulnerabilities. Although, I didn’t use every one of them, I did use a few of them in all these years. It looks like I’m just plain lucky, that nobody tried to hack my blog when I was using these plugins.

  4. With one exception the exploit URLs call up something in wp-admin and some part of the offending plugin. Would I be right in thinking that a setup which uses an alternative path instead of wp-admin would therefore not be vulnerable, provided the attacker doesn’t know or guess the correct path?

    • A lot of these definitely rely on basic installs of wordpress. I know setting up wordpress with the roots method moves wordpress out of the default /wp-admin/ directory and into wp/wp-admin but a quick look into a robots.txt file automatically generated by wordpress would give you the correct location of the admin dashboard. However, a big subset of wordpress attacks are done by scripts that do GET requests to the basic http://yoururl.com/wp-admin/… to find an opening. So you’d be correct in assuming it is more secure but not by much.

      Moving the wp-config up one level is a good easy way to protect yourself from being easy prey too.

  5. Thanks a lot for this information! Had to deactivate one plugin… :(

    UpdraftPlus is already pached, maybe you could add it into your article. And the screenshot shows the newest, patched version – this was really confusing to me. I thought that if you write about a vulnerability, you show the version that has it.

    • Ah! I’m sorry for the confusion, it gives patch notes and more in the link following my little write up :)

        • All of these bugs are patched in the most recent version of the plugin. It is illegal to report 0-days (especially how to exploit them) without the plugin author knowing them.

          • That’s a thing I didn’t know, thank you! Maybe, for noobs like me, you could mention that all these bugs are fixed? Just an idea. Thank you!

          • I’m sorry >.< I didn’t mean to cause confusion, I edited my blog post so it’s a little more clear :) Happy WordPressing

          • I think I’m wary of disclosing security risks because I’ve had a few friends go to jail because of it. It might not be illegal, but a lot of notable hackers now-a-days are getting hit with the book when they do. It’s best to err on the side of caution :)

  6. I am looking to use WordPress Download Manager. Does this plugin is safe now to use with wordpress 4.1.1?

    Please help me.

    • WordPress Download Manager is secure now :) Feel free to use it, but make sure to update all your plugins regularly ^_^

  7. Hi,
    I’m the developer of the All In One WP Security plugin and I can definitely confirm that the issues you pointed out in your article regarding the SQL injection vulnerabilities were addressed a while back.

Submit a comment