Critical Vulnerabilities within the WP Lead Plus X WordPress Plugin

Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin

On March 3, 2020, our Threat intelligence staff found various vulnerabilities in WP Lead Plus X, a WordPress plugin with over 70,000 installations designed to permit website house owners to create touchdown and squeeze pages on their websites. These vulnerabilities allowed an authenticated attacker with minimal permissions, corresponding to a subscriber, to create or utterly exchange any web page on a website with their very own web page containing malicious JavaScript, defacement, or a redirect. Additionally, an unauthenticated attacker may additionally add a malicious web page template which, if utilized by an administrator working the premium model of the plugin, would execute malicious JavaScript in that administrator’s browser, probably resulting in website takeover.

We tried to contact the plugin’s creator the following day, on March 4, 2020, adopted up on March 12, 2020, and privately despatched the total vulnerability disclosure. The plugin’s creator launched a preliminary patch containing functionality checks on March 15th. We adopted up with them the following day because the patched model was nonetheless weak to Cross-Site Request Forgery (CSRF), and had been knowledgeable {that a} extra full patch can be forthcoming. More than 2 weeks later, and greater than a month after our preliminary contact try, the entire patch isn’t but accessible.

If this plugin is important to your website’s performance, we extremely advocate updating to no less than model 0.99 instantly as no less than a few of these safety points are patched in that model. Ideally, we advocate disabling and deleting this plugin till a extra full patch turns into accessible.

Wordfence Premium customers acquired a brand new firewall rule on March 4, 2020 to guard in opposition to exploits focusing on these vulnerabilities. Users nonetheless utilizing the free model of Wordfence will obtain this rule on April 3, 2020.


Description: Authenticated Stored Cross-Site Scripting(XSS)
Affected Plugin: Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions:
CVE ID: CVE-2020-11508
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
CVSS Score: 9.1(Critical)
Patched Version: 0.99

WP Lead Plus X is a WordPress plugin that permits website house owners to create customized touchdown and “squeeze” pages, full with its personal web page builder interface able to inserting customized JavaScript. Unfortunately, this web page builder interface additionally relied on an unprotected AJAX operate which lacked a functionality examine and a nonce examine in an effort to save and replace pages:

add_action('wp_ajax_core37_lp_save_page', 'core37_lp_save_page');

operate core37_lp_save_page()
{
	$content material = array();
	parse_str(file_get_contents("php://input"), $content material);

	//move the shape ID to the editor
	echo Page_Manager::save_page($content material);
	die();
}

As such, it was attainable for a logged-in attacker with minimal permissions (corresponding to a subscriber) to ship a $_POST request to wp-admin/admin-ajax.php with the motion parameter set to core37_lp_save_page together with the pageContent, web pageSlug, pageTitle, and pageSettings parameters describing the web page to be created. This included the web page title, web page slug, web page content material, and any JavaScript the attacker needed to execute when the web page loaded.

Worse but, if a pageID parameter was despatched with the ID of an present web page or publish, that web page or publish can be utterly changed by the malicious web page. This made it attainable for an attacker to utterly exchange each single publish or web page on a website, together with revision backups, with their very own malicious content material, with no technique to revert aside from restoring content material from a database backup.

In addition to inserting malicious JavaScript, which by itself may very well be used to redirect guests to malvertising websites or steal delicate data, this vulnerability may very well be used to successfully flip any website working the plugin right into a spam website.


Description: Unauthenticated Stored Cross-Site Scripting (XSS)
Affected Plugin: Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions:
CVE ID: CVE-2020-11509
CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 7.1(High)
Patched Version: 0.99

One of the options accessible to customers who’ve paid for a license key for WP Lead Plus X is the power to create and use “template” pages, which will be imported as a place to begin when creating new pages. Although this characteristic isn’t seen if the plugin doesn’t have a license key, it was nonetheless attainable for an unauthenticated person to import a template containing malicious JavaScript. This was resulting from an admin_post motion accessible to unprivileged guests:

add_action('admin_post_nopriv_c37_wpl_import_template', array($this, 'c37_wpl_import_template'));

Additionally, the operate referred to as by this motion lacked nonce or functionality checks:

    public operate c37_wpl_import_template()
    {
        if (isset($_FILES))
        {
            foreach($_FILES['files_name']['tmp_name'] as $tmpFile)
            {
                Template_Manager::importTemplateFromString(file_get_contents($tmpFile));
            }
        }

        wp_redirect($_POST['request_url'] . '&import=success');
    }

As such, it was attainable for an unauthenticated attacker to add a template by sending a $_POST request to wp-admin/admin-post.php, with the motion parameter set to c37_wpl_import_template and a files_name[] parameter containing a maliciously crafted template file. If a website proprietor with a licensed copy of the plugin used this imported template to create a web page, the malicious JavaScript would execute of their browser, probably resulting in website takeover.


Description: Cross-Site Request Forgery(CSRF)
Affected Plugin: Landing Page – Squeeze Page – Responsive Landing Page Builder Free – WP Lead Plus X
Plugin Slug: free-sales-funnel-squeeze-pages-landing-page-builder-templates-make
Affected Versions:
CVE ID: Pending
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
CVSS Score: 8.3(High)
Patched Version: N/A

As talked about beforehand, not one of the capabilities on this plugin use nonce checks, so it’s attainable for an attacker to carry out any motion that the plugin is able to by tricking an administrator into clicking a specifically crafted hyperlink designed to carry out that motion. This contains all of the capabilities described above, together with including pages to the location, changing website content material with malicious JavaScript, and extra.

What ought to I do?

This is an uncommon state of affairs in that the plugin has not but been absolutely patched. It continues to be weak to a CSRF assault. Additionally, firewalls (together with the Wordfence Web Application Firewall) can not defend a website in opposition to a CSRF assault as these assaults appear to be legitimate requests to your website. If you handle a website with this plugin put in, which means the safety of your website is precariously in your palms, and the palms of anybody with administrator rights to your website. CSRF assaults require the sufferer’s participation, often by clicking a crafted hyperlink in an e-mail. If this plugin is completely important to your website’s performance, we urge you to improve to the most recent accessible model and train excessive warning when visiting any hyperlinks, particularly these despatched to you in e-mail messages. If you’re not actively utilizing this plugin, we advocate disabling it and eradicating it till a extra full patch is obtainable.

Disclosure Timeline

March 3, 2020 – Wordfence Threat Intelligence discovers and analyzes vulnerabilities within the WP Lead Plus X plugin.
March 4, 2020 – Firewall rule launched for Wordfence Premium customers. Initial outreach to plugin developer.
March 12, 2020 – Followup with developer as no response was acquired. Developer confirms applicable inbox for dealing with dialogue. Full disclosure of vulnerabilities is distributed.
March 15, 2020 – Plugin developer releases preliminary patch together with functionality checks.
March 16, 2020 – Followup with developer as patched model continues to be weak to CSRF. Developer replies {that a} repair for CSRF points is forthcoming.
April 3, 2020 – Firewall rule turns into accessible to Wordfence free customers.

Conclusion

In in the present day’s publish, we detailed two saved XSS vulnerabilities within the WP Lead Plus X plugin, in addition to a CSRF vulnerability. The XSS flaws have been patched in model 0.99 and we advocate that customers that depend on this plugin replace to the most recent model accessible instantly. The CSRF vulnerability has not but been patched, and we advocate that customers that may accomplish that deactivate and delete this plugin till a extra full patch is obtainable.

Sites working Wordfence Premium have been protected against assaults in opposition to the XSS vulnerabilities since March 4, 2020. Sites working the free model of Wordfence acquired the identical firewall rule replace on April 3, 2020.


Source hyperlink

X
X