Privilege Escalation
Introduction
This article covers ways to secure the code from Privilege Escalation vulnerability. This includes applying a proper function to check for the userโs input.
Arbitrary Option Update
For this case of privilege escalation, the process to secure the code is simple, implement proper permission and nonce check and also limit the option_name
that will be updated. This limitation process can use a whitelist check or using a prefix or suffix to the option_name
that will be updated:
Arbitrary User Meta Update
For this case of privilege escalation, the process to secure the code is simple, implement proper permission and nonce check if needed and also limit the meta_key
that will be updated. This limitation process can use a whitelist check or using a prefix or suffix to the meta_key
that will be updated:
Unrestricted User Registration
The fix for this case is simple, donโt allow users to set their role
field when registering a new account. By default, the user will have a role that is already assigned on the general WordPress configuration and it will be a Subscriber role by default:
Unrestricted User Update
For this case of privilege escalation, the process to secure the code is simple, implement proper permission and nonce check if needed and also limit the userโs field that will be updated. This limitation process can use a whitelist check to the userโs field that will be updated:
Insecure Password Reset
For this case of privilege escalation, implement the check_password_reset_key
function. According to the official documentation, this function will retrieve a user row based on the password reset key and login. It will return the WP_User
object on success, and the WP_Error
object for invalid or expired keys:
Insecure Authentication Cookie Set
This privilege escalation case is more abstract compared to other cases. In general, usage of the authentication cookie set process is mostly for the autologin process and third-party login process. To secure your code against this privilege escalation case, you need to apply a proper check and request for the authentication cookie set process. For a third-party login process, make sure that the configured UID value and other secret key values can only be configured from a trusted source such as the related third-party service endpoint, and are not coming directly from the userโs input.