Wordpress security

Missing Authorization Check In wpCentral Plugin Leads To Multiple Vulnerabilities

Updated: December 8, 2020

wpCentral Plugin

The wpCentral plugin that has 50 000+ active users allows you to manage your sites on a single panel. It gives you the power to login to any website, install/delete/activate plugins, upload files and much more.

In versions 1.4.7 and below of this plugin, there’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege or alter/upload any file, or adjust any plugin and interact with the site in many other ways.

In wpcentral.php, we can see the lines of code below which register the AJAX actions.

if(is_user_logged_in()){
	add_action('wp_ajax_my_wpc_actions', 'my_wpc_actions_init');
	add_action('wp_ajax_my_wpc_signon', 'my_wpc_signon');
	add_action('wp_ajax_my_wpc_fetch_authkey', 'wpc_fetch_authkey');
}else{
	add_action('wp_ajax_nopriv_my_wpc_actions', 'my_wpc_actions_init');
	add_action('wp_ajax_nopriv_my_wpc_signon', 'my_wpc_signon');
}

However, it’s only checking whether or not the user is logged in and not if the user is an administrator. Both my_wpc_actions_init and my_wpc_signon AJAX actions require a valid authentication key to be present in the request.

However, we can retrieve this authentication key by calling the wpc_fetch_authkey AJAX action which for obvious reasons does not require the authentication key to be present in the request as it will return the authentication key in the response.

Once we have the authentication key, we can call pretty much any function or action present in the wpCentral plugin. The action my_wpc_signon would sign us in as an administrator (userid 1 in the database) as shown below.

function my_wpc_signon(){
    global $l, $error;
	
	//Authorize
	wpc_authorize();
	
	$user_info = get_userdata(1);
		
	// Automatic login //
	$username = $user_info->user_login;
	$user = get_user_by('login', $username );
	
	// Redirect URL //
	if (!is_wp_error($user)){
		wp_clear_auth_cookie();
		wp_set_current_user($user->ID);
		wp_set_auth_cookie($user->ID);

		$redirect_to = user_admin_url();
		wp_safe_redirect($redirect_to);

		exit();
	}
}

The AJAX action my_wpc_actions along with the fileactions parameter would allow us to upload files to the server or execute any other function that is part of the wpCentral plugin.

After reaching out to wpCentral, they released a fixed version within 6 hours. The patch can be found here which shows that they added a current_user_can(‘administrator’) check to the AJAX hooks as shown below.

Timeline

24-01-2020 – Reported the vulnerability to the developer of the plugin.
24-01-2020 – Released the patch to all WebARX customers.
25-01-2020 – wpCentral released version 1.4.8 which fixes the issue.

Protect Websites Against Plugin Vulnerabilities

Start for free

We are closely monitoring the vulnerability and will update the article over-time with potential IOC and important threat information.

If you wish to stay updated about the vulnerabilities via social media, consider joining our Facebook community and follow us on Twitter

Wordpress security

Secure your websites like an expert - in under 3 minutes.

Try WebARX For Free

Get latest vulnerabilities directly to your inbox

30 000+ developers already benefit from our weekly newsletters.

suggested articles

Wordpress security

Why WordPress Sites Get Hacked?

WordPress security

Agnes
Talalaev

Wordpress security
Website security

11 Ways to Improve Your Web Application Security

Website security

Agnes
Talalaev

Website security
WebARX Product

A Detailed Guide To Add Security Headers For WordPress

Security headers

Agnes
Talalaev

WebARX Product
Wordpress security

Comprehensive WordPress Malware Removal Guide

WordPress malware removal

Oliver
Sild

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla