WordPress plugin bug allows any user to be able to get admin access
The popular AMP for WP plugin, which helps WordPress sites load faster on mobile browsers, contains a bug that allows WordPress site users to make administrative changes to a website. The plugin, which has over 100,000 active installs, adds support for Google's mobile site acceleration tool, called Google Accelerated Mobile Pages or AMP. Researchers at WebARX Security discovered that the plugin didnt include a check to verify the account permissions of the currently logged in user. In turn, that lack of permission verification opens up admin API access to anyone with a login for a site. API calls are carried out using the Ajax development framework, they're hooks used by site administrators to interact with the third-party and external functions in order to manage the site. In WordPress plugin development, you have can register Ajax hooks in order to call functions directly. The issue with this approach is that every registered user can call Ajax hooks. If the called hook doesn't check for account role, every user can make use of those functions. The AMP plugin vulnerability is located in the ampforwp_save_steps_data Ajax hook, which is called to save settings during installation wizard. Exploiting this can aloow any user to update the plugins settings. Under the plugin settings, users can include ads, inject custom HTML code, and manually upload other WordPress plugins or malicious code like mining scripts or javascript malware.
According to Andy Smith, vice president of product marketing at Centrify, 80 percent of breaches involve privilege misuse. Andy Smith also stated that this is a good example when applications don't bother enforcing role-based access controls. What was uncovered in the WordPress plugin vulnerability is that where administrative commands did not check to verify the user's role before execution, allows any user the ability to take administrative actions. In a world where developers are moving fast and devOps pushes code quickly to production, it is critical that security checks get built into this automation flow and real DevSecOps processes get put in place to avoid such potentially costly mistakes.
This is the latest privilege flaw in a string of recent WordPress plugin issues. Earlier, a similar API call issue was discovered in the popular WP GDPR Compliance plugin, which has more than 100,000 active installs was being exploited until a fix was issued. Also, a file delete vulnerability that affected multiple plugins, including WooCommerce, was found affecting 4 million websites, it allowed full privilege escalation and administrative account takeover on e-commerce sites before a fix was issued. Attackers are always on the lookout for vulnerable third parties that serve multiple websites. While proper site protection includes updating and applying patches to any technologies provided by third partiesis essential. most website administrators remain unaware of who and how secure all their third parties are. This is one of the biggest of risk because third-party code suppliers are popular targets among attackers.