Options in WordPress are Administrator stuff and are considered as dangerous, but WordPress itself provides protection when users want to change its values. This is important in cases where
update_option of user input is used in administrative area of some plugins, but also for WordPress too when it is offered as customized SaaS / managed WordPress with measures that preventing WP Administrators to perform critical operations on the system.
If we check the
wp-admin/options.php there in the code we see that Administrator or Network Administrator have access towards
update_option call with user input. This is fine, but in this function we have a validation! It is performed via
sanitize_option function call and this function prevents meddling with some of the critical option values. For instance, you must insert valid host for blog posting via email, you must set valid (WordPress ) way email, many values are cast to integers, … So this protection have its own purpose, but it is by-passable! How?
It is straight forward,
sanitize_option check for keys and they are only
trim-ed. This means if we craft option key, starting/ending with some interesting character/s then we have bypass, because updating of the option use the option key in SQL WHERE clause.
If we craft valid POST request towards
/wp-admin/options.php then the following changes are needed in order to change the
Find in the crafted request
admin_email and change it to
e.g. prep-end the
\u035D character and place anything as value!
- Any CSRF / nonce stealing from Admin is now more dangerous
- Any SaaS/Managed WordPress that prevents Admins for doing certain things
- Any options based backdoor is now exploit
If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).