[wp-trac] [WordPress Trac] #57465: WordPress AJAX Vulnerability

WordPress Trac noreply at wordpress.org
Sun Jan 15 17:31:13 UTC 2023 

#57465: WordPress AJAX Vulnerability
---------------------------+----------------------
 Reporter:  allalbenaissa  |       Owner:  (none)
     Type:  defect (bug)   |      Status:  closed
 Priority:  normal         |   Milestone:
Component:  General        |     Version:  6.1.1
 Severity:  normal         |  Resolution:  invalid
 Keywords:                 |     Focuses:
---------------------------+----------------------

Comment (by allalbenaissa):

 **admin-ajax.php**
 This script is an example of the **WordPress Ajax** process execution. It
 includes a number of core actions, both for GET and POST requests.
 Weakness: This script is vulnerable to arbitrary code execution via the
 "action" GET parameter. An attacker can pass a malicious action in the GET
 request that will be executed by this script, which could potentially lead
 to arbitrary code execution.

 Fix: To mitigate this vulnerability, the script should check that the
 action requested is one of the valid actions specified in the
 $core_actions_get and $core_actions_post arrays and only execute the
 action if it is in one of those lists. This will prevent arbitrary actions
 from being executed and limit the scope of what can be done with the
 script

 The security vulnerability in the code is located in the following lines:


 {{{
 if ( empty( $_REQUEST['action'] ) || ! is_scalar( $_REQUEST['action'] ) )
 {
 wp_die( '0', 400 );
 }

 }}}



 Here's an example of how the security vulnerability could be repaired:


 {{{
 // list of valid actions
 $core_actions_get = array(
     'fetch-list',
     'ajax-tag-search',
     'wp-compression-test',
     // other valid actions
 );

 $core_actions_post = array(
     'oembed-cache',
     'image-editor',
     // other valid actions
 );

 // check if the action requested is valid
 if (empty($_REQUEST['action']) || (!in_array($_REQUEST['action'],
 $core_actions_get) && !in_array($_REQUEST['action'], $core_actions_post)))
 {
     wp_die('0', 400);
 }

 // continue with execution of valid action

 }}}


 This code creates two arrays, $core_actions_get, and $core_actions_post,
 which contain the list of valid actions for GET and POST requests
 respectively. Then it checks whether the action requested is empty or not
 in both arrays and if it does not match any of the valid actions in the
 array it will stop the execution. This way, it will prevent arbitrary
 actions from being executed and limit the scope of what can be done with
 the script.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/57465#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list