WordPress

CVE-2022-1329

WordPress is one of the most popular content management systems (CMS) in the world. It is not an exaggeration to say that WordPress has changed the internet.

It is estimated that over 75 million websites use WordPress. This includes sites run by individuals, small businesses, and large corporations. WordPress has also been translated into over 70 languages, making it accessible to people all over the world.​

The impact of WordPress goes beyond just its popularity. It has also had a significant impact on the web development industry as a whole, democratizing website building and making it accessible to anyone with an internet connection.

That being said, WordPress also has a dark side 😈.

Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory (CyFI Lab) have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites.

Researchers found that every compromised website in their dataset had two or more infected plugins. The findings also indicated that 94% of those plugins are still actively infected.

There are many third party plugins available for download to extend the functionality of WordPress, too many of them 🤐.

We will discuss one of them in this detail page, the Elementor plugin (versions 6.0.0 - 6.3.0), which handles AJAX requests in an insecure way.

The plugin uses a nonce for verification which can be found by any authenticated user in the source of the wp-admin dashboard.

The AJAX is then run without capability checks, which allows users to access several functions, including upload_and_install_pro. The upload_and_install_pro function can be taken advantage of by being used to upload a .zip file containing labels and header for the Elementor Pro plugin.

The .zip file can contain any code as long as the labels and headers appear correct, which can then be executed to open a shell on the server or do other malicious actions