A design flaw in the WordPress permission system used by plugins and a file deletion vulnerability in an eCommerce plugin called WooCommerce can permit the attackers to get complete control over a WordPress site.
WooCommerce is a popular WordPress plugin that adds eCommerce functionality to a blog which enables the site owners to host their own stores. There are more than 4 million active installations of this plugin.
When WordPress plugins are installed that utilize different user roles, they utilize the WordPress permission system. Plugins do this by creating new roles that are assigned different WordPress capabilities and then utilize plugin functions to limit how these roles can interact with other users or settings in WordPress.
Simon Scannell, a researcher at PHP Security firm RIPS Tech found that when WooCommerce is installed it will create a Shop Manager role that has the “edit_users” WordPress capability/permission. This capability allows users to edit ANY WordPress user, including the Administrator account.
Site owners does not want a plugin’s users to be able to edit the Administrators for the entire site. So WooCommerce created a function that prevents users in that role from editing users who are part of the Administrator role.
If the WooCommerce plugin is disabled, the function that limits what users a Shop Manager can edit is no longer accessible and thus Shop managers can edit users in the Administrator role. This is the flaw in the WordPress plugin/privilege system.
In order to disable a plugin, we should use an Administrator account or delete the files associated with the plugin. This is where a file deletion vulnerability discovered by RIPS Tech acts.
File deletion vulnerability + WordPress design flaw
Scannell has found a file deletion vulnerability in WooCommerce 3.4.5 and earlier versions using RIPS code analysis software. This vulnerability was in the plugin’s log deletion functionality that Shop Manager have access.
Using the vulnerability a user who was in the Shop Manager role could escape out of the expected folder by adding .. to the passed argument.
When the file is deleted, the plugin could no longer be loaded and would then be disabled by WordPress. When the plugin is disabled, Shop Manager has total access to edit any user, including an Administrator account. So, when an Administrator account was taken over, an attacker would have complete access to the site.
In order to exploit this vulnerability, an attacker would need to have access to a user account who is in the Shop manager role. The vulnerability, however illustrate how the permission systems for plugins can be exploited by using a vulnerability that would not normally allow a site takeover.
This vulnerability was fixed on October 11th in WooCommerce version 3.4.6. This is not enabled by default and so many users may still be running older vulnerable versions of the WooCommerce plugin. WordPress can be configured to automatically update all plugins. So it is important that all users check the version of the installed plugin, and if it is older than version 3.4.6, upgrade to the latest version.