Pentester Nepal
Published in

Pentester Nepal

Hacking into WordPress themes for CVEs and Fun.

Hi there! I hope all is well with you. In this writeup, I’ll discuss about the research I did on a WordPress theme, which taught me a lot about WordPress themes/Plugins security.

So, this started after ITSNP started their own Q&A platform. I planned to signup and as the initiative was cool. After signing up. As a Bug Bounty hunter, I couldn’t stop myself from injecting my XSS payloads into every user input field I came across.

And yes, one of the profile field was found to be vulnerable to XSS:

So, I intended to promptly report it to the concerned individual who was behind it. He responded to me in a positive way, which encouraged me to investigate the website further. As admin had the option to disable fields from user profiles, he blocked that field from user profiles after our short talk about the vulnerability, which reduced the risk of the vulnerability being exploited for the site to some extent.

Digging deeper, i came to know that the website was built on wordpress with Discy theme. Because the theme was utilized by several sites, it posed an equivalent risk to all of them. That is why i thought of notifying theme manager about the vulnerability but i was unsure about their response. So, i reported it to WPScan. Where they themself take the responsibilities to contact vendor and also reserve CVE in return.

This did not conclude with the discovery of a single flaw. I was wondering about further security flaws in this theme, so I downloaded it locally in order to test for security flaws. After inspecting the plugin’s codebase, i came to know that, the “redirect_to” parameter on reset password was not being sanitized which resulted in Cross Site Scripting through forgot password page:

CVE-2022–1597

After some additional testing, I discovered an IDOR to read personal messages:

CVE-2022–1425

After a few more days of testing, I discovered a flaw that allowed me to change any website setting with a low privileged user (as it was q&a website, anyone could simple signup with their own. )

CVE-2022–1323

After delving deeper into the site, I discovered a function that allowed user to ask questions in confidence to any other member of the community. Which was meant to be private but the messages were disclosed to any unauthenticated user through wordPress Rest API:

CVE-2022–1598

When I saw how many vulnerabilities there were, it made me realize that the developers have a lot to learn about the techniques of secure coding. I wish they learnt something about it through my reports. They were using a common plugin for their other themes too called “WPQA”. Then I decided to test some of their other themes, and yes, I was able to find some flaws in them as well:

Ask Me < 6.8.2 — Reflected Cross-Site Scripting

The theme does not properly sanitize and escape several of the fields in the Edit Profile page, leading to Reflected Cross-Site Scripting issues
CVE-2022–1241

Broken Access Control to reset settings to default on Ask me theme:

So, by the end of this research i reserved following CVEs:

CVE-2022–1425, CVE-2022–1051, CVE-2022–1597, CVE-2022–1241, CVE-2022–1598, CVE-2022–1323, CVE-2022–1251

Things to Learn as a Developer:

1. Never trust user inputs, Filter input on arrival.

2. Do not just hide functions.

3. Enforce access control policies such that users cannot act outside of their intended permissions

4. Use hash function and use hashed values instead of normal numbers or strings.

Connect with me if you want more tips regarding web application security.

Until Next time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store