Not fixed security issues that could be exploited
Few years back WP “fixed” prepare method of its DB class and even today it remains one of the failure points for ~40% of the web. What is the bug? Simple, because sprintf usage every % sign is replaced with placeholder which in most of the setups swaps 1 character % with 66 in memory. …
WP Job Manager plugin was sitting vulnerable for some time and attack vectors were available with lowest possible user role. Now in current version 1.34.4 some hardening was placed in the form of post_type checks & nonce’s, but meddling with protected meta failed again. Almost the same way as WordPress core did. Eli5 PoC In …
There are a lot of security solutions around WP eco system advertising their possibility to fight malware, intrusions and exploitation. Most of them are endpoint security solutions, there are cloud ones, but also market knows the managed WP services that offer security in their own way. Having big choice sometime is a problem, because you …
Adding slashes or removing them is a thing on WP. Most of the meta functions perform that e.g. they hold that not popular wp_unslashagainst meta keys and values. This means when input towards update_metadata and add_metadata isn’t from the current http requst via some web form e.g. html interface there is possibility for user to insert/update protected meta key into …
Core had put some efforts in order to prevent accessing attachment post type functions from another post types. Usually checks are done by calling get_post and comparing the post type with attachment, but that is selective and only in hand picked places. It is that way because performances mainly, so many functions are lacking this checks. Eli5 PoC One of …
WordPress attachment api functions and any post type Read More »
Core team had put some effort into project in order to preven unserialize of user input via phar stream wrapper. In general, efforts are good, but to excelent there are two more grades and this is the max with this approach. In the core there is function path_join that accepts two parameters $base and $path. $path is then sent towards function path_is_absolute and from the code …
WordPress introduced maybe_unserialize and maybe_serialize as security functions in the past and they are deeply integrated in the core. Usually for backward compatibility or improper usage in the past, many software vendors are using multiple maybe_unserialize towards values that could be planted into DB with lower number of maybe_serializecalls. Eli5 PoC and if you think that this code isn’t existing then …
If we execute the following MySQL query against WP database we will get results in case we had already uploaded media in the past This is sort of “feature” of MySQL RDBMS, but what this means from WP aspect. It means a lot, because in the past there were account take over / backdoor vulnerabilities …
Native WordPress importer have 3 different parser classes: WXR_Parser_SimpleXML, WXR_Parser_XML and WXR_Parser_Regex. If first two required PHP extensions (simplexml and xml) aren’t installed or somehow they fail during export file parsing, then everything should be done by WXR_Parser_Regex class. Failing could occure because: malformed XML file Huge XML file with lot of data (libxml doesn’t obay memory constraints from php.ini) most important one: …
Few months back security research regarding WP learning platforms got my attention. From writing there and change logs it was obvios that some of the SQLi vulnerabilities remained in the code and what is more interesting it is easy to be escalated to RCE. Eli5 PoC Into function learn_press_duplicate_post_meta which is called from learn_press_duplicate_post we have the following: From …