[wp-trac] [WordPress Trac] #56729: Vulnerability in plugin update notification (impersonation of plugins with possible RCE)

WordPress Trac noreply at wordpress.org
Tue Oct 4 09:21:13 UTC 2022 

#56729: Vulnerability in plugin update notification (impersonation of plugins with
possible RCE)
----------------------------+-----------------------------------------
 Reporter:  sylm87          |      Owner:  (none)
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  Awaiting Review
Component:  Plugins         |    Version:  6.0.2
 Severity:  critical        |   Keywords:  needs-patch has-screenshots
  Focuses:  administration  |
----------------------------+-----------------------------------------
 During the development of a private plugin (not uploaded to the WordPress
 market https://es.wordpress.org/plugins/) with our own metadata, we
 noticed that the WordPress plugin update notification system informs us
 that an update is available for our plugin, how is this possible?


 Well, the only explanation for this is that the update review system is
 based solely on the plugin's folder name, ignoring any authorship metadata
 and project URIs.

 To make sure that the update system is evidently ignoring any data in the
 plugin's metadata, we proceed to download it (the plugin). This confirms
 our suspicions, the update system is only governed by the name of a
 directory.

 Due to this lack of security in the metadata check, the only solution so
 far is to never activate the auto-update and to manually check each
 update.

 If you click on the "update now" link, the system will install the
 possible malicious plugin without any confirmation.


 Criticality:
 HIGH [8.8] - Exploitation of this vulnerability would affect the server in
 remote code execution (RCE) mode. It is downgraded from critical to high
 because it requires human action on plugin configuration.
 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

 Affected environments:
 All installations with custom plugins that are not in the official
 WordPress marketplace.
 Aggravated if the unattended updater is accidentally activated.
 If a maintenance technician is unaware of the custom plugin development
 and hits the update button.

 Conclusion:
 As there is no signature checking system in the plugin update review
 system, there is a possibility of impersonation of our plugin if an
 attacker created a plugin in the official market with the same name as the
 directory of our custom plugin, being able to execute remote code on our
 server.

 Temporary solution:
 Disable the automatic update systems and generate plugin page with a <name
 X> so that no one can get to take that name to perform the impersonation.

 Having today as a warning, process to request a CVE ID for the formal
 vulnerability write-up.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/56729>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list