Remote Code Execution (RCE)
Introduction
This article covers possible ways to secure the code from RCE vulnerability. This includes applying a proper function to check for the userβs input.
How to secure
For a dynamic function call or function call using the call_user_func function, we recommend using a whitelist check on the allowed functions that can be called:
function image_render_callback($atts) { $atts = shortcode_atts( array( 'sanitize' => 'esc_attr', 'src'=>'', 'text'=>'' ), $atts);
$chosen_callback = $atts["sanitize"]; $allowed_functions = array("trim", "esc_attr", "esc_html", "sanitize_text_field"); $text = "";
if ( ! empty( $chosen_callback ) && is_callable( $chosen_callback ) && in_array($chosen_callback, $allowed_functions) ) { $text = call_user_func( $chosen_callback, $atts["text"] ); }
return sprintf("<img src='%s'>%s</img>", esc_attr($atts["src"]), esc_html($text));
}
add_shortcode("imagerender", "image_render_callback");Fixing Arbitrary Plugin Installation
It can be fixed by ensuring that the user whoβs installing the plugin has proper permissions and that an appropriate nonce check is being done in the action.
add_action('wp_ajax_nopriv_install_remote_plugin', function() { if ( isset($_GET['install_plugin_url']) && current_user_can('install_plugins') && check_admin_referer('install_plugin_url_action') ) { $plugin_url = esc_url_raw($_GET['install_plugin_url']);
include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php'; include_once ABSPATH . 'wp-admin/includes/file.php'; include_once ABSPATH . 'wp-admin/includes/misc.php';
$upgrader = new Plugin_Upgrader(); $upgrader->install($plugin_url); }});Contributors
