Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin

On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, if the targeted site has the ‘Role Management’ setting enabled.

Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023.

We performed our initial outreach to the developer on April 5, 2023, the same day we discovered the vulnerability. We received a response the same day and sent over the full details. The developer released a patch swiftly the next day on April 6, 2023.

We’d like to say a special thanks to the lead developer of WP Data Access, Peter Schulz, who provided an exemplary example of how security issues should be handled by responding immediately and releasing a patch the next day.

We strongly recommend ensuring that your site has been updated to the latest patched version of WP Data Access, which is version 5.3.8 at the time of this publication.


Vulnerability Summary from Wordfence Intelligence

Description: WP Data Access <= 5.3.7 – Authenticated (Subscriber+) Privilege Escalation
Affected Plugin: WP Data Access
Plugin Slug: wp-data-access
Affected Versions: <= 5.3.7
CVE ID: CVE-2023-1874
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 5.3.8

The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘wpda_role[]‘ parameter during a profile update. This requires the ‘Enable role management’ setting to be enabled for the site.


Vulnerability Analysis

WP Data Access is a WordPress plugin designed to make data table creation in WordPress more intuitive and easier to manage for site owners. One feature of the plugin is the ability to enable role management, which makes it possible for a site owner to create custom roles and assign multiple roles to different users. Unfortunately, this functionality was insecurely implemented making it possible for authenticated users to assign any role to themselves, including the administrative role.

Taking a closer look at the code, we see that the ‘multiple_roles_update‘ function used to assign a user’s new roles upon updating a profile is hooked via ‘’profile_update‘’. This hook is triggered immediately after any user profile is updated and it does not perform any sort of authorization checks on the user performing the action. As such, this means that any update to a user’s profile, including on the profile.php page, will invoke the hooked function ‘multiple_roles_update‘.

This makes it possible for any authenticated users with an account, such as subscribers, to invoke the ‘multiple_roles_update‘ function.

 $this->loader->add_action( 'profile_update', $wpda_roles, 'multiple_roles_update' );

If the associated function had a capability check, then it may have prevented these users from fully executing the function, however, that was not the case. Reviewing the hooked function, we see a check verifying that the role management setting is enabled, but nothing more. The function then determines the user and looks for the ‘wpda_role‘ array parameter from a given request. If present, it will process the supplied roles and add the role and applicable permissions to the user retrieved in the first step.

This made it possible for authenticated users, such as a subscriber, making profile updates to supply the ‘wpda_role‘ array parameter with any desired roles, such as administrator, during a profile update that would be granted immediately upon save of the profile updates.

public function multiple_roles_update( $user_id ) {
   if ( ! $this->is_role_management_enabled ) {
      return;
   }

   $wp_user = new \WP_User( $user_id );
   if ( isset( $wp_user->data->user_login ) ) {
      $user_login = $wp_user->data->user_login;
      // Get access to editable roles
      global $wp_roles;
      if ( isset( $_REQUEST['wpda_role'] ) && is_array( $_REQUEST['wpda_role'] ) ) {
         // Process roles
         $sanitized_roles = array();
         foreach ( $_REQUEST['wpda_role'] as $new_user_role ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
            $sanitized_new_user_role = sanitize_text_field( wp_unslash( $new_user_role ) ); // input var okay.
            $wp_user->add_role( $sanitized_new_user_role );
            $sanitized_roles[ $sanitized_new_user_role ] = true;
         }

         // Remove unselected roles
         foreach ( $wp_roles->roles as $role => $val ) {
            if ( ! isset( $sanitized_roles[ $role ] ) ) {
               $wp_user->remove_role( $role );
            }
         }
      } else {
         // BUG!!! REMOVED!!!
         // When plugin role management is enabled, this removes all user roles when a user updates his profile.
         // foreach ( $wp_roles->roles as $role => $val ) {
         // $wp_user->remove_role( $role );
         // }
      }
   }
}

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Disclosure Timeline

April 5, 2023 – Discovery of the Privilege Escalation vulnerability in WP Data Access. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
April 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
April 5, 2023 – The vendor confirms the inbox for handling the discussion.
April 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 6, 2023 – A fully patched version of the plugin, 5.3.8, is released.
May 5, 2023 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we detailed a flaw in the WP Data Access plugin that enabled authenticated attackers, with at least subscriber-level access to a site, to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. This flaw has been fully patched in version 5.3.8.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 5.3.8 at the time of this publication.

Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to a complete site takeover.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

Did you enjoy this post? Share it!

Comments

4 Comments
  • The topic I want to comment on has not been published in your blog (surprise, surprise), so I will post it here. If you delete my comment, I will post it on social media as I‘d like to see your response to it for the benefit of all your customers.

    This morning I received an email from you about your recently deployed firewall rule which caused an issue on some Wordpress websites on the Premium Plan – effectively crashing them. I have read your email three times as clearly I was missing something. Well, I wasn’t.

    While the email provides instructions how to recover the crashed websites, THERE IS NOT A SINGLE WORD OF APOLOGY for the serious issue and hassle YOU have caused.

    This sort of detached, if not arrogant attitude is unheard of, and frankly, unacceptable. It’s as if you didn’t actually accept the responsibility for this bungle.

    Where is “We sincerely apologise for this inconvenience and stand by 24/7 to assist our Premium customers in the site recovery”?

    Errors and glitches do happen on all IT systems, we all know that. But not to have the professional decency to SINCERELY APOLOGISE to your customers for it, but instead, minimise and demean its impact as if it was not a big deal so you don’t feel you need to apologise for anything – speaks to the arrogance of your management and disregard for your customers.

    What happened to your once famous great customer-oriented support? It looks like that’s the end of it.

    As your Premium customer I would like to see your reply.

    • Hi Anna,

      Well first, I'd like to apologize for not apologizing in that email that went out. We are truly, and sincerely, sorry that this issue occurred. It was late in the evening with some of our team being in office for 10-12+ hours after sticking around after business hours to help find a solution for this problem. I know that's no excuse, but as you can imagine we were exhausted so it appears we dropped the ball in that email that went out late. You can find the Twitter thread where we openly communicated to our customers once we learned of the issue and apologized. https://twitter.com/wordfence/status/1646282372617216003

      Again, we are very sorry to have created this issue for many site owners. Please don't hesitate to reach out to our support team which is happy to assist with any questions you have.

      I hope you have a great day!

  • Hi Chloe and Mark - Thank you both for your reply and apology here and in your email. Not so much to me - my website wasn't even affected by this issue - but to your customers at large. I am really glad that you did, albeit with some delay.

    Whether there are 200, 2000 or 2 million customers affected, the scale doesn't matter, as long as the issue isn't linked to one particular website or just one network, of course.

    It's the attitude of the company towards its customers that matters and cements loyalty. And I, for one, value that more than the range and quality of products and services on offer; more than good pricing.

    An apology for something we did that inadvertently created problems for others is usually and instinctively the first thing we say when jumping into damage control. So when that's missing, it doesn't feel right.

    So thank you, I do appreciate it. :-)