The following issues were identified and reported to the vendor of the WordPress plugin “popup-maker”, during a Web Application Security Assessment for one of the Neurosoft’s clients.

Summary

Product Affected: WordPress Plugin Popup-Maker.
Version Affected: Plugin version < 1.8.12 (version 1.8.12 has a partial remediation).
Active installations: 400.000+
Vulnerability Description: An unauthenticated attacker can retrieve information regarding WordPress Plugins (active/inactive), the Webserver Configuration, the PHP Configuration and more. Further attacks may also be possible.
Remediation: Update to latest version of popup-maker (>1.8.13).
CVSS Score: Pending
Vector String: Pending
Acknowledgments: Elias Dimopoulos from NeuroSoft S.A. (Redyops Team).
Reference

  • https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md
  • https://wpvulndb.com/vulnerabilities/9907
  • https://nvd.nist.gov/vuln/detail/CVE-2019-17574

PoC:

  1. curl http://www.your-domain-with-popup-maker.com/?pum_action=tools_page_tab_system_info
  2. curl -v -d “popmake_action=popup_sysinfo&popmake-sysinfo=choose any content you like” -X POST http://www.your-domain-with-popup-maker.com/

The vulnerabilities which have been reported are the following:

  1. Indirect Object Reference: An attacker can partially control the arguments of the do_action, during the initialization of the PUM_Site . Because of this, an attacker can call any method which contains an action starting from popmake_ or pum_ . This will lead to successful execution of functions which do not require arguments (e.g: PUM_Admin_Tools::sysinfo_download or PUM_Admin_Tools::sysinfo_display) or require one argument as an array.
  2. Lack of authorization: There are calls which can be performed and require no authentication. As we will see in the following sections, an attacker can execute the PUM_Admin_Tools::sysinfo_display without any authentication.
  3. Lack of CSRF tokens: The use of the wordpress nonces like _wpnonce or pum_tools_nonce is not required. This makes the plugin vulnerable to CSRF attacks which can be used in order to force the remote server to serve a victim the file popmake-system-info.txt, with contents of the attacker’s choice. Further attacks may be possible because of the lack of CSRF tokens.

After the exploitation of the security issues, an unauthenticated attacker (guest) can at least perform the following:

  1. Retrieve the information which is presented in the “System Info” tab . After a successful attack, the attacker will obtain information regarding WordPress Plugins (active/inactive), the Webserver Configuration, the PHP Configuration and more.
  2. Force the remote server to serve a victim the file popmake-system-info.txt with contents of the attacker’s choice. This attack requires the victim to enter a malicious site.

Details

  1. When the plugin is loaded, the Popup_Maker class initializes the PUM_Site class by calling PUM_Site::init(); This call can be found on https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/popup-maker.php#L318 (line 318)
  2. When the PUM_Site class is being initialized, it also calls the “actions” function https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/classes/Site.php#L10 . In the “actions” function of the PUM_Site class, which can be found on https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/classes/Site.php#L36 (line 36), the attacker controls part of the argument of the “do_action” function.
The attacker can force a call to any of the following:
do_action( ‘popmake_attacker_controlled_data, $_GET );
do_action( ‘pum_attacker_controlled_data, $_GET );
do_action( ‘popmake_attacker_controlled_data, $_POST );
do_action( ‘pum_attacker_controlled_data, $_POST );

The attacker controls the “attacker_controlled_data” part, because this part is passed as an argument from the $_GET[‘popmake_action’], $_GET[‘pum_action’], $_POST[‘popmake_action’] or $_POST[‘pum_action’] .

Exploitation

Now we can create our request, in order to perform unintended actions.
We used a GET request in the /?pum_action=tools_page_tab_system_info .

Based on what we have seen so far, the following are happening:

  1. The execution reaches thePUM_Site::actions .
  2. The execution continues to the else if branch in https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/classes/Site.php#L41 (line: 41).
  3. The function “do_action” : do_action( ‘pum_tools_page_tab_system_info‘, $_GET ); is called
  4. This function call, will cause the execution of the PUM_Admin_Tools::sysinfo_display (https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/classes/Admin/Tools.php#L164) . We will reach this function, because the “pum_tools_page_tab_system_info” corresponds to the sysinfo_display function ( https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/classes/Admin/Tools.php#L28 )

In the same way, we can reach other functions as well.
For example, in the following picture we use the popmake_action parameter with the value popup_sysinfo , in order to reach the if/else branch:https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/classes/Site.php#L40 and execute the do_action( ‘popmake_popup_sysinfo‘, $_POST ); .
This way we end up executing the PUM_Admin_Tools::sysinfo_download ( https://plugins.trac.wordpress.org/browser/popup-maker/tags/1.8.11/classes/Admin/Tools.php#L433 ) and forcing the contents of the popmake-system-info.txt, to be anything we want to.