Post Grid WordPress Plugin: Vulnerabilities allow intrusion
Two serious vulnerabilities in Post Grid, a WordPress plugin with more than 60,000 installations, open the door to intrusion. For starters, almost identical bugs are also found in Post Grid’s sister plugin, Team Showcase, which has 6,000 installations.
Errors are an XSS defect as well as a PHP injection problem. Both bugs are pending CVE numbers, and both are highly serious, with a score of 7.5 out of 10 on the CvSS Vulnerability Rating Scale.
Post Grid, true to its name, allows users to display their posts in a grid layout. Team Showcase, meanwhile, offers a way to easily identify an organization’s team members. Both allowed the introduction of custom layouts and used almost identical – and vulnerable – functions to do so, according to Wordfence researcher Ram Gall.
The XSS error could allow an attacker to provide a parameter indicating a malicious host hosted elsewhere. The function will then open the file containing the load, decode it, and create a new page layout based on its contents.
“The created layout contained a custom_scripts section and an attacker could add malicious JavaScript to the custom_css section of this section. This will then be done each time a user administrator edits the layout or a visitor visits a layout page. “
The result is that Post Grid intruders could use malicious JavaScript to add a malicious administrator, a backdoor for add-ons or theme files, or to steal administrator session info – these are all ways to complete the recovery of a site.
“In both cases, an incoming intruder with minimal rights, such as a subscriber, could activate the features by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid or team_import_xml_layouts for each Team Showcase to activate a function with the same name, “Gall explained.
The second issue, the PHP object detection error, occurs in the input function because it did not capture the payload provided in the source parameter. An attacker could therefore execute arbitrary code, delete or write files, or even perform any number of other actions that could lead to a site being occupied.
To trigger the defect, “an intruder could create a string that could not be sterilized on an active PHP object. “Although no plugin used vulnerable magic methods, if another plugin using a vulnerable magic method was installed, ” object injection ‘could be used by an intruder.”
Both vulnerabilities usually require the attacker to have an account with at least subscriber-level privileges – but there is a gap.
“However, sites that use a plugin or theme that allows unauthorized visitors to execute arbitrary shortcuts will be vulnerable to unauthorized intruders,” Gall added.
The developer of the plugin, PickPlugins, has released patches, so webmasters need to upgrade them as soon as possible. Fixed versions are Post Grid v. 2.0.73 and Team Showcase v. 1.22.16.
These are the latest in a series of flawed WordPress plugins introduced this year. In September, it was found that a major bug in Icegram’s “Subscribers and Email Newsletters” add-on affected more than 100,000 WordPress sites.
Earlier in August, an add-on designed to add quizzes and searches to WordPress sites returned two critical vulnerabilities. Defects could be exploited by remote, unauthorized intruders to launch various attacks – including full takeover of vulnerable sites. Also in August, the Newsletter, a WordPress plugin with more than 300,000 installations, was discovered to have a couple of vulnerabilities that could lead to code execution, and even site takeover.
Note that researchers in July warned of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which was installed on more than 70,000 websites. The bug allowed unauthorized intruders to upload arbitrary files (including PHP files) and eventually execute remote code on vulnerable site servers .
read more articles in our blog