WordPress "Simple Social Buttons" Plugin Vulnerability Allow Website Takeover
Last updated September 23, 2021
In a recent internal audit of the WP Fastest Cache plugin, Jetpack found two vulnerabilities. The first is from an Authenticated SQL Injection, and the second is from a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF).
The SQL injection bug can potentially be used by hackers to access sensitive information. They can use it to extract database entries from any affected site. The vulnerability could give admin-level access to the hacker and allow them site-wide freedom for data extraction. However, this exploit is only applicable if the classic-editor plugin is installed and active on the website.
The plugin’s author has been informed of these vulnerabilities, and they have released a new version 0.9.5, to fix them.
The first SQL injection vulnerability (CVE-2021-24869) is explained in the code snippet below:
public static function set_urls_with_terms(){
global $wpdb;
$terms = $wpdb->get_results("SELECT * FROM `".$wpdb->prefix."term_relationships` WHERE `object_id`=".static::$id, ARRAY_A);
foreach ($terms as $term_key => $term_val){
static::set_term_urls($term_val["term_taxonomy_id"]);
}
}
The set_urls_with_terms method directly concatenates static::$id to an SQL query. This creates problems of arbitrary values in the mentioned property by logged-in users. They can use the SinglePreloadWPFC::set_id() method executed via admin_notices WordPress action is run.
public static function set_id(){
if(isset($_GET["post"]) && $_GET["post"]){
static::$id = esc_sql($_GET["post"]);
if(get_post_status(static::$id) != "publish"){
static::$id = 0;
}
}
}
While set_id ensures all given ID points lead to authentic and published posts via the get_post_status() function, this is not enough to ensure the original ID. The get_post_status() function also leads to get_post() internally, which, in turn, puts the ID it receives in the form of an integer while it searches through the database for related posts.
In other words, if the ID provided is 1234 OR 1=1, get_post_status() will retrieve the status of the post whose ID is 1234, but 1234 OR 1=1 is going to be concatenated to the vulnerable SQL query in SinglePreloadWPFC::set_urls_with_terms().
The second vulnerability (CVE-2021-24869) arising from Stored XSS Via CSRF is explained below:
The CdnWPFC::save_cdn_integration() method is utilized by the wp_ajax_wpfc_save_cdn_integration AJAX action for setting setting-up CDN-specific options. This function does perform access rights and privileges with current_user_can() and related functions to enable request senders to change relevant settings; it does not ensure that they intended the same, which is done by nonce checks.
The bug report asserts that these options can potentially give hackers a chance to store rogue Javascripts on any affected website. The WP Fastest Cache plugin authors have already fixed these issues with their latest 0.9.5 patch release. Users are recommended to update it as soon as possible if they are still using older versions of the plugin.