Recently, the Nintech technology network blog and vulnerability researchers Patchstack reported a very serious security hole within a plugin for the extremely popular blog and website software WordPress. The plugin PWA for WP & AMP for WordPress was found to be vulnerable to arbitrary file upload which could lead to a malicious user initiating remote execution. It has also been reported that 20,000 websites use PWA for WP & AMP and were affected by this issue. WordPress is perhaps the most popular Content Management System (CMS) out there, which also makes it a clear target for cybercriminals, having had its share of flaws and unpatched security holes in the past. As of July 2021, statistics reveal that over 40% of all websites use WordPress.
Security Issue in Plugin Version 1.7.32 And Below
This WordPress plugin security flaw was first discovered on June 22, 2021. Security research teams had posted an alert that a ‘broken access control vulnerability’ was noticed with the PWA for WP & AMP plugin. This type of access control vulnerability can easily lead to an ‘arbitrary file upload’ which can further lead to a malicious user taking administrative privileges and executing code from a remote location -thereby taking full control of the website. This also means that users using WordPress are at risk of a breach when plugins are vulnerable like this.
Technical Details of The Plugin Flaw
Further information reveals more about the process that went on; an authenticated user such as a subscriber could upload one or more PHP scripts in a ZIP archive that would be extracted and accessible in the ‘wp-content/uploads/pwa-splash-screen/‘ folder, which could lead to remote code execution. This has happened because of a flawed plugin function in the script that does not check whether an administrator is performing the action of ZIP archive extraction. This flaw translated to the fact that the administrator-only function was accessible by any logged-in user which should not have been the case.
Past WordPress Vulnerabilities
WordPress plugin vulnerabilities and security leaks with third-party plugins and other extensions are not a new occurrence. In 2018, a GoDaddy Security report based on ‘CMS Security Analysis’ found that the leading CMS platforms were WordPress, Magento, and Joomla! at the time. Furthermore, the report showed that 90% of the platform infections analyzed were WordPress infections and that infection rate percentages for WordPress were rising each year. Below is a graph from a security report that analyzed vulnerabilities in CMS platforms in 2018, that visually illustrates the number of incidents WordPress experienced in the past due to vulnerable third-party themes and plugins.
WordPress has also suffered from other types of breaches and problems such as; unauthorized brute-force logins, malware, SQL injections, SEO (Search Engine Optimization) spam, cross-site scripting, phishing, and DoS (Denial-of-Service Attacks). The usual suspect in these cases is not the WordPress core program, but the third-party themes and plugins known as extensions. Attackers are always on the lookout for outdated versions of themes and plugins to exploit. Once in, an attacker can control a website’s front-end as well as other aspects which can put not only the website or blog in danger but also the many registered users as well. Once a cybercriminal (attacker) has administrative privileges to a service, they can then move laterally within the system and even infect or breach other parts of the network.
The Issue Has Been Resolved in Version 1.7.33
The PWA for WP & AMP plugin issue has been patched. Users must “Update immediately” if they have version 1.7.32 or lower of the PWA for WP plugin running on their site. NinTechNet mentions that certain firewall applications for WordPress, such as NinjaFirewall WP Edition (free), and NinjaFirewall WP+ Edition (premium), also offer protection against this vulnerability. The WordPress ‘PWA for WP & AMP plugin’ has reportedly been fixed with the updated version 1.7.33.