For the second time this week a WordPress plugin has been found vulnerable, this time allowing an attacker to gain administrative privileges in plugin Convert Plus.
Convert Plus, which has 100,000 active installs, is a commercial lead generation tool containing a critical-rated “unauthenticated administrator creation” flaw, according to Wordfence. If exploited, the flaw allows an attacker to create and register new accounts with various privilege levels up to administrator.
Those using Convert Plus version 3.4.2 need to immediately update to version 3.4.3, Wordfence said.
“We have released a firewall rule to protect Wordfence Premium users who may not be able to update yet, but we still recommend installing the patch. Free users will receive the new rule after thirty days,” Wordfence said in a blog post.
The issue was found on May 24 and a patch was released on May 28, the same day a firewall rule was released for Wordfence Premium users. On June 27 the firewall rule will roll out for all users.
Earlier this week researchers at Defiant found a vulnerability in the plugin Slick Popup.
The problem appears in the new subscriber portion of the plugin. The form for handling new subscribers allows administrators to define a user role for the email address being added. By default, the user value is set to none, but the site’s owner can have a list of roles in place, such as new subscriber, to choose from. Even though the admin role is not included as a possibility in the list, there is a way to add it.
“In vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user. Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user,” Wordfence said.
Because no filtering is applied when the subscription is created, an attacker can submit a subscription form and change value of cp_set_user to administrator, and the plugin will create that type of account associated with the new email. Although a randomized password is also generated, the newly found admin can obtain a new one by using the password reset function.