Vulnerability in wpCentral Plugin Leads to Privilege Escalation

Description: Improper Access Control to Privilege Escalation
Affected Plugin: wpCentral
Affected Versions: <= 1.5.0
CVE ID: CVE-2020-9043
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Patched Version: 1.5.1

On February 13th, our Threat Intelligence team discovered a vulnerability in wpCentral, a WordPress plugin installed on over 60,000 sites. The flaw allowed anybody to escalate their privileges to those of an administrator, including subscriber-level users given open registration was enabled on a WordPress site with the vulnerable plugin installed.

The flaw also allowed for remote control of the site via the wpCentral administrative dashboard. This would be considered an improper access control vulnerability that led to privilege escalation. We privately disclosed the full details to the plugin’s developer on February 13th, and they reacted promptly by releasing a patch the next day along with a few additional security enhancements.

This is a high severity security issue that could cause severe impact to your site. We highly recommend updating to the latest version, 1.5.2, immediately.

Wordfence Premium customers received a new firewall rule on February 14th to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days, on March 15th.

What is wpCentral?

wpCentral is a WordPress plugin that was designed to be used in tandem with the wpCentral management dashboard to provide a connection between WordPress sites and a management interface. Their software is designed to make site management easy, with functionalities including automated sign-on with one click from the wpCentral dashboard, the ability to create back-ups, edit posts (in the premium version), and much more.

In order to provide this connection between the site and the management dashboard, the plugin generates a random 128 character authorization key, stored as the wpcentral_auth_key, also referred to as the “connection key.” This key is used to add a site to the wpCentral dashboard, in addition to being used as the auth_key when sending requests from the wpCentral dashboard. It is an important part of the authentication and authorization process, and because of its capabilities, it requires strict protections to prevent unauthorized use.

Connection Key Always Displayed in Admin Footer

Unfortunately, we discovered that there were weak access controls in place to protect the connection key as it was displayed in the admin_footer in a modal dialog.

 add_action('admin_footer', 'wpc_modal_dialog');

The admin footer checks to see if a page being accessed is part of the administrative interface and will display whatever is requested in that area. However, it does not verify that the user has ‘administrator’ capabilities — a common misconception with the series of functions that contain the label `admin`. This meant that any user logged in, regardless of capabilities, would have access to view any content in the modal dialog that was displayed as part of the admin_footer.

The modal dialog box that was displayed as part of the admin footer exposed the connection key along with steps that could be used to connect a site to wpCentral.

function wpc_modal_dialog(){
    
	$mdialog = '
	<div id="wpc_connection_key_dialog" style="display: none;">
		<p>Follow the steps here to connect your website to wpcentral dashboard:</p>
		<ol>
			<li>Copy the connection key below</li>
			<li>Log into your <a href="https://panel.wpcentral.co/" target="_blank">wpcentral</a> account</li>
			<li>Click on Add website to add your website to wpcentral.</li>
			<li>Enter this website\'s URL and paste the Connection key given below.</li>
			<li>You can also follow our guide for the same <a href="https://wpcentral.co/docs/getting-started/adding-website-in-wpcentral/" target="_blank">here</a>.</li>
		</ol>
		
		<p style="font-weight:bold;">Note: Contact wpCentral Team at support@wpcentral.co for any issues</p>

		<div style="text-align:center; font-weight:bold;"><p style="margin-bottom: 4px;margin-top: 20px;">wpCentral Connection Key</p></div>
		<div style="padding: 10px;background-color: #fafafa;border: 1px solid black;border-radius: 10px;font-weight: bold;font-size: 14px;text-align: center;">'.wpc_get_connection_key().'</div>
	</div>';

This meant that an attacker with minimal, subscriber-level permissions would have the ability to add a vulnerable site to their wpCentral dashboard and take remote control over the site. They could do things like create a backup and then steal the information out of the wp-config.php file to obtain access to the database or gain access to sensitive information.

Auto-login Capabilities Unprotected

The worst thing an attacker could do if they were able to gain access to the auth_key was to auto sign-on, a feature common amongst WordPress management dashboards.

 add_action('wp_ajax_nopriv_my_wpc_signon', 'my_wpc_signon');

This functionality was intended to be used as part of the wpCentral dashboard where a user simply clicks the button to authenticate, however, it simply sent a request that could be replicated by any user. The authorization simply checked if the auth_key was the same one that is stored in the options table as wpcentral_auth_key. This key is persistent, so if compromised, it would authorize any user to send requests on behalf of a site administrator.

/**
 * Check for the authorization of the request using the auth key
 *
 * @returns		bool
 * @since		1.0
 */
function wpc_authorize(){
    global $l, $error;
	
	$return = array(); 
    
    $auth_key = wpc_optREQ('auth_key');
	if(empty($auth_key)){
		$return['error'] = 'Unauthorized Access!!';
		echo json_encode($return);
		die();
	}
	
	$verify_authkey = wpc_get_option('wpcentral_auth_key');
	if($auth_key != $verify_authkey){
		$return['error'] = $l['invalid_auth_key'];
		echo json_encode($return);
		die();
	}
}

When a correctly formatted request was sent with the proper authorization key, a user would be automatically signed-on as user 1 in the database. This is the first user account created on a site and is typically one of the primary administrative users. Once signed on, an attacker would have free reign and could inject backdoors, take down the site, and much more.

/**
 * Provides access to the website's admin panel
 *
 * @returns		bool
 * @since		1.0
 */
function my_wpc_signon(){
    global $l, $error;
	
	//Authorize
	wpc_authorize();
	
	$user_info = get_userdata(1);
		
	// Automatic login //
	$username = $user_info->user_login;
	$user = get_user_by('login', $username );
	
	// Redirect URL //
	if (!is_wp_error($user)){
		wp_clear_auth_cookie();
		wp_set_current_user($user->ID);
		wp_set_auth_cookie($user->ID);

		$redirect_to = user_admin_url();
		wp_safe_redirect($redirect_to);

		exit();
	}
}

Fortunately, in the latest version of wpCentral, the developer implemented a check that ensures that requests are being sent from the wpCentral server’s IP address. This ensures that if a connection key is compromised, mass exploitation would be much harder to conduct as requests need to come from the wpCentral dashboard rather than a simple query. Additionally, the auto sign-on feature appears to have been disabled for the time being.

Proof of Concept Walkthrough

Very Important to Update Immediately

Due to the unique nature of this vulnerability, it was difficult to create a firewall rule that provided complete protection, as we did not want to block legitimate plugin functionality. Although we do have a firewall rule in place to help protect your site, it cannot provide complete protection. Note that, as part of the plugin update, your wpCentral key will be reset, inhibiting attackers from maintaining unauthorized access to your site given that the connection key may have previously been compromised. For these reasons, we highly recommend updating to the latest version as soon as possible to ensure your site is secure.

Disclosure Timeline

February 13th, 2020 – Vulnerability initially discovered and analyzed. Initial outreach to developer.
February 14th, 2020 – Developer responds and full details are sent. Firewall rule released for Wordfence Premium users.
February 14th, 2020 – Patch released.
March 15th, 2020 – Wordfence free users receive firewall rule.

Conclusion

In today’s post, we detail a privilege escalation flaw in the wpCentral plugin. This flaw has been patched in version 1.5.1, however, we recommend that users update to the latest version (1.5.2) available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 14th, 2020. Sites running the free version of Wordfence will receive the firewall rule update on March 15th, 2020.

Did you enjoy this post? Share it!

Comments

5 Comments
  • ... is_admin() strikes again, I see... Someone should really do something about that one.

  • Hello,
    My site (www.ilsephilips.nl) was hacked and I can't get access to update.
    Someone changed the login and all the passwords.
    My site is now an empty site but my company name is being used/visible. What the hell is going on ??
    Can you help me please ?
    Kind regards, Ilse

    • Hi Ilse,

      I am very sorry to hear your site has been compromised. It sounds like it may be related to the recent database reset vulnerabilities that have been discovered. I highly recommend taking a look at our site cleaning service. Our team would be happy to help you regain access to your site and discover how exactly the site was compromised.

  • Hi!
    I lost my site and my login! Someone is using my site and my name.
    Wordpress solution for that is for me to pay for an error that wordpress itself make?!?!

    What will I do?!?!

    • Hi Camila!

      I am very sorry to hear that your site has been compromised. It sounds like it may be related to the recent database reset vulnerabilities that have been discovered. If you have a back-up of your site, you can try and follow this guide to restore your site. Alternatively, you can take a look at our site cleaning service. Our team would be happy to help you restore access to your site and discover how exactly the site was compromised.