Critical Arbitrary File Deletion Vulnerability in MP3 Audio Player WordPress Plugin Affects Over 20,000 Sites

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with >=1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

On August 4th, 2024, we received a submission for an Arbitrary File Deletion vulnerability in MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar, a WordPress plugin with over 20,000 active installations. This vulnerability can be leveraged by attackers to delete critical files like wp-config.php which can lead to remote code execution by authenticated attackers with minimal permissions such as subscribers.

Props to Arkadiusz Hydzik who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $705.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

All Wordfence users, including Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected by the Wordfence Firewall’s built-in directory traversal and local file inclusion rules.

We sent the full disclosure details to the plugin’s author on August 16th, 2024 and they acknowledged the report the same day. The patch was released just over a week later on August 27th, 2024. We commend the team at Sonaar for the quick response and remediation of this vulnerability.

We urge users to update their sites with the latest patched version of MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar, version 5.7.1 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the ‘file’ parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted.

Technical Analysis

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin is designed to allow site owners to upload and host an audio player on their WordPress website. One feature of the plugin is the ability to upload audio peak files. Unfortunately, part of this functionality that deletes temporary files was insecurely implemented making it possible to supply arbitrary files to be deleted.

The root of the problem was present in the removeTempFiles() function which had two flaws: no authorization check and insufficient validation on the ‘file‘ parameter. The function does check if the file is in the audio_peaks directory, however, it does not account for any directory traversal which makes it possible for a user to supply a path to the audio peaks directory and then traverse out using a directory traversal sequence like ‘../’ to delete any arbitrary file through the wp_delete_file() function.

public function removeTempFiles(){
		// will unlink the temporary peak file and generate another one automatically.

		check_ajax_referer('sonaar_music_admin_ajax_nonce', 'nonce');
	
		$is_temp = filter_input(INPUT_POST, 'is_temp', FILTER_VALIDATE_BOOLEAN);
		$file = filter_input(INPUT_POST, 'file', FILTER_SANITIZE_STRING);
	
		if ($is_temp && $file) {
			$upload_dir = wp_get_upload_dir();
			
			$peaks_dir = $this->get_peak_dir();
	
			$file_path_temp = str_replace($upload_dir['baseurl'] . $this->get_peak_dir(true), $peaks_dir, $file);
	
			if (strpos($file_path_temp, $peaks_dir) === 0 && file_exists($file_path_temp)) {
				wp_delete_file($file_path_temp);
			}
		}

This function is hooked via a WordPress AJAX action, making it accessible to all authenticated users regardless of their privileges considering no authorization checks were present.

add_action('wp_ajax_removeTempFiles', array($this, 'removeTempFiles'));

While a nonce check was present, the nonce was generated through the enqueue_scripts() function of the Sonaar_Music_Admin class, hooked via ‘admin_enqueue_scripts’ when the ‘$hook’ or page path matches sr_playlist_page_srmp3_settings_.

This makes it possible for authenticated users to “spoof” a path like /wp-admin/index.php/%0a/wp-admin/sr_playlist_page_srmp3_settings_ which will generate a valid nonce and provide it in the source code of the page. This means that any authenticated user should be able to pass the nonce check and access the functionality if they have access to the wp-admin dashboard.

if (strpos($hook, SR_PLAYLIST_CPT . '_page_srmp3_settings_') === 0) {
            wp_enqueue_script( 'cmb2_image_select_metafield-js', plugin_dir_url( __FILE__ ) . 'library/cmb2-image-select-field-type/image_select_metafield.js' , '', '1.0.0', true );  // Used for plugin settings page only. it does not work on group repeater fields
            wp_enqueue_script( 'sonaar-music', plugin_dir_url( __DIR__ ) . 'public/js/sonaar-music-public.js', array( 'jquery' ), $this->version, true ); // used for peak generation
            wp_localize_script('sonaar-admin', 'sonaar_music', array(
                'plugin_version_free'=> SRMP3_VERSION,
                'plugin_version_pro'=> ( defined( 'SRMP3PRO_VERSION' ) ? SRMP3PRO_VERSION : 'Not Installed' ),
                'ajax' => array(
                    'ajax_url' => admin_url( 'admin-ajax.php' ),
                    'ajax_nonce' => wp_create_nonce( 'sonaar_music_admin_ajax_nonce' ),
                    'ajax_nonce_peaks' => wp_create_nonce( 'sonaar_music_ajax_peaks_nonce' ),
                ),
            ));

The developer patched this by implementing a capability check and better path validation on the ‘file’ parameter so that only files in the audio_peaks directory could be deleted, and directory traversal attempts would be stripped.

https://plugins.trac.wordpress.org/changeset/3142445/mp3-music-player-by-sonaar/trunk/includes/class-sonaar-music.php

Arbitrary file deletion vulnerabilities are a serious issue in WordPress. When present, an attacker can delete the wp-config.php file which makes WordPress treat the instance as a new install. The attacker can then access the WordPress setup page, connect their own database to the site to deliver spam, and then further infect the filesystem by installing malicious plugins or utilizing the plugin/theme editors to inject backdoors.

Developer Reminder: Never Use Nonces For Access Control

This vulnerability serves as an important reminder that nonce checks alone are not a valid protection mechanism for authorization. Developers must use capability checks like current_user_can() to properly validate if a user has the authorization to be performing a specific action. Nonces should only be used for Cross-Site Request Forgery protection and to verify that a user intended to perform a specific action.

We’ve covered this in depth in a previous article which you can about read here. There have been many instances where nonces have been used as a means of access control, however, the nonce was present on pages available to authenticated, or even unauthenticated users, or functionality they have access to which effectively negates any protection.

Disclosure Timeline

August 4, 2024 – We received the submission for the Arbitrary File Deletion vulnerability in MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaa via the Wordfence Bug Bounty Program.
August 15, 2024 – We validated the report and confirmed the proof-of-concept exploit. We also confirm that Wordfence users are adequately protected.
August 16, 2024 – We sent over the full disclosure details via the vendor’s security issues form.
August 16, 2024 – The vendor acknowledged the report and began working on a fix.
August 27, 2024 – The fully patched version of the plugin, 5.7.1, was released.

Conclusion

In this blog post, we detailed an Arbitrary File Deletion vulnerability within the MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin affecting versions 5.7.0.1 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to delete arbitrary files on the server which can be leveraged to achieve remote code execution and lead to complete site compromise. The vulnerability has been addressed in version 5.7.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar as soon as possible considering the critical nature of this vulnerability.

All Wordfence users, including Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected by the Wordfence Firewall’s built-in directory traversal and local file inclusion rules.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.