Wordpress security

Missing Authorization Check In wpCentral Plugin Leads To Multiple Vulnerabilities


Updated: December 8, 2020

wpCentral Plugin

The wpCentral plugin that has 50 000+ active users allows you to manage your sites on a single panel. It gives you the power to login to any website, install/delete/activate plugins, upload files and much more.

In versions 1.4.7 and below of this plugin, there’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege or alter/upload any file, or adjust any plugin and interact with the site in many other ways.

In wpcentral.php, we can see the lines of code below which register the AJAX actions.

if(is_user_logged_in()){
	add_action('wp_ajax_my_wpc_actions', 'my_wpc_actions_init');
	add_action('wp_ajax_my_wpc_signon', 'my_wpc_signon');
	add_action('wp_ajax_my_wpc_fetch_authkey', 'wpc_fetch_authkey');
}else{
	add_action('wp_ajax_nopriv_my_wpc_actions', 'my_wpc_actions_init');
	add_action('wp_ajax_nopriv_my_wpc_signon', 'my_wpc_signon');
}

However, it’s only checking whether or not the user is logged in and not if the user is an administrator. Both my_wpc_actions_init and my_wpc_signon AJAX actions require a valid authentication key to be present in the request.

However, we can retrieve this authentication key by calling the wpc_fetch_authkey AJAX action which for obvious reasons does not require the authentication key to be present in the request as it will return the authentication key in the response.

Once we have the authentication key, we can call pretty much any function or action present in the wpCentral plugin. The action my_wpc_signon would sign us in as an administrator (userid 1 in the database) as shown below.

function my_wpc_signon(){
    global $l, $error;
	
	//Authorize
	wpc_authorize();
	
	$user_info = get_userdata(1);
		
	// Automatic login //
	$username = $user_info->user_login;
	$user = get_user_by('login', $username );
	
	// Redirect URL //
	if (!is_wp_error($user)){
		wp_clear_auth_cookie();
		wp_set_current_user($user->ID);
		wp_set_auth_cookie($user->ID);

		$redirect_to = user_admin_url();
		wp_safe_redirect($redirect_to);

		exit();
	}
}

The AJAX action my_wpc_actions along with the fileactions parameter would allow us to upload files to the server or execute any other function that is part of the wpCentral plugin.

After reaching out to wpCentral, they released a fixed version within 6 hours. The patch can be found here which shows that they added a current_user_can(‘administrator’) check to the AJAX hooks as shown below.

Timeline

24-01-2020 – Reported the vulnerability to the developer of the plugin.
24-01-2020 – Released the patch to all WebARX customers.
25-01-2020 – wpCentral released version 1.4.8 which fixes the issue.

Protect Websites Against Plugin Vulnerabilities

Start for free

We are closely monitoring the vulnerability and will update the article over-time with potential IOC and important threat information.

If you wish to stay updated about the vulnerabilities via social media, consider joining our Facebook community and follow us on Twitter

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla