Warning: WordPress plugins vulnerable to privilege escalation
CVE-2022-4939:CVSS 9.8(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Risques
An unauthenticated remote attacker can register as an administrator to the website. This gives the attacker full control of the website and compromises the confidentiality, integrity, and availability. An attacker can modify, delete or publish content and settings on the website, access sensitive data and credentials, and use the website as a launching pad for further cyberattacks like redirecting to malicious websites.
On the 6th of April, a Proof-of-Concept (PoC) was published on GitHub for CVE-2022-4939.
Security firms have reported that the "Element Pro" vulnerability is being actively exploited as seen on their customer's logs.
Description
Two vulnerabilities have been linked to the WooCommerce plugin for WordPress, allowing an attacker to gain administrator role and cause further damage to the website.
Concerning critical vulnerability CVE-2022-4939, an unauthenticated attacker can modify the registration form and set the role for registration to any user including administrators. Once the configuration is modified, the attacker can register as administrator, which then gives them full control of the website allowing them to perform additional malicious actions. This happens due to a missing capability check on the "wp_ajax_nopriv_wcfm_ajax_controller” AJAX action that controls membership settings.
Another high severity vulnerability was discovered by researchers and concerns the "Elementor Pro" plugin when installed alongside WooCommerce. More specifically, the flaw lies in the AJAX action "pro_woocommerce_update_page_option". Lack of proper validation allows any user to modify WordPress options in the database, including enabling registration of an administrator account and change the administrator email address.
Actions recommandées
The Centre for Cybersecurity Belgium strongly recommends Windows system administrators to take the following actions:
- Update the plugins to the latest version.
- Keep track of the plugins used on your website and ensure you keep them up to date.
- Monitor your website for unusual activity, such as new user registrations or unauthorized content changes.
- Consider setting up a web application firewall (WAF) to help detect and block malicious traffic.
Références
- https://securityonline.info/wcfm-membership-wordpress-plugin-cve-2022-4939-vulnerability-exposes-thousands-of-websites-to-attacks
- https://arstechnica.com/information-technology/2023/03/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites
- https://nvd.nist.gov/vuln/detail/CVE-2022-4939
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wc-multivendor-membership/wcfm-membership-2100-unauthenticated-privilege-escalation
- https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-elementor-pro-wordpress-plugin