BulletProof Security [Remote Code Execution]

Description

Plugin BulletProof Security is vulnerable to a RCE. The plugin gives users the ability to store an option about users agents they want to ignore. Those agents are stored in a DB table and from there they used to form a regular expression which is written to file 403.php without proper escaping the values.

A malicious user could pass a specially crafted value to this option in order to corrupt 403.php file contents and execute arbitrary code on server.

Since the user required to save this option is a user with manage_options capability, this lowers the severity of this vulnerability. Additionally for this attack to be useful the attacker must have something to gain out of it. The only possible scenario is that the attacker is a single site admin on a multisite installation. In that case the attacker must be an administrator to the site with id 1, because from only this site this specific option can be accessed.

PoC

  1. Go to admin panel → BPS Security → Security Log
  2. Save the option Add User Agents|Bots to Ignore|Not Log (user-agent-ignore) with the value a/', 'b' ) ) {@ob_clean();echo file_get_contents( ABSPATH.'/wp-config.php' );die;}}} /*
  3. Visit wp-content/plugins/bulletproof-security/403.php with your browser

Solution

Upgrade to v53.5

WordPress Plugins Remote Code Execution RCE
INFO
GKxtL3WcoJHtnKZtqTuuqPOiMvOwqKWco3AcqUxX