Techly NewsGet the app

Get the latest tech news

Exploiting authorization by nonce in WordPress plugins


About WordPress As of 2024, WordPress powers 43% of all websites in the internet. 474 million websites run WordPress software and one or more out of 70 000 plugins. Unfortunately, as history shows, most WordPress plugins, even popular ones, often contain security vulnerabilities. Sometimes these vulnerabilities are trivial to find. So far this year, 280 critical (CVSS score 9.0+) vulnerabilities have been found in WordPress and its plugins. Critical vulnerabilities usually allow taking over a WordPress instance which can lead to data leaks, malware injection, or transitioning them into C2 servers.

The nopriv part in the action name means that WordPress will skip the authentication step before executing the function handler, in other words: these AJAX calls are available for any users, also those who are not logged in. It was vulnerable to Remote Code Execution (by Arbitrary File Upload) that can be triggered by any user with access to the plugin (configurable by Admin, with the lowest level being Subscriber). The complexity lies in the fact that the returned values of the appended query must be integers which are also valid IDs of existing posts in a victim WordPress DB.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of WordPress

WordPress

Photo of Authorization

Authorization

Photo of nonce

nonce

Related news:

News photo

Automattic launches AI writing tool that aims to make WordPress blogs more readable and succinct

News photo

Hackers target WordPress calendar plugin used by 150,000 sites

News photo

Corcel – Use WordPress backend with Laravel or any PHP application

« East Germany invented 'unbreakable' drinking glasses
Fintech Payoneer is buying 5-year-old global payroll startup Skuad for $61M in cash »