Skip to content

Remote Code Execution (RCE)

Introduction

This article covers possible ways to secure the code from RCE vulnerability. This includes applying a proper function to check for the user’s input.

How to secure

For a dynamic function call or function call using the call_user_func function, we recommend using a whitelist check on the allowed functions that can be called:

function image_render_callback($atts) {
$atts = shortcode_atts( array(
'sanitize' => 'esc_attr',
'src'=>'',
'text'=>''
), $atts);
$chosen_callback = $atts["sanitize"];
$allowed_functions = array("trim", "esc_attr", "esc_html", "sanitize_text_field");
$text = "";
if ( ! empty( $chosen_callback ) && is_callable( $chosen_callback ) && in_array($chosen_callback, $allowed_functions) ) {
$text = call_user_func( $chosen_callback, $atts["text"] );
}
return sprintf("<img src='%s'>%s</img>", esc_attr($atts["src"]), esc_html($text));
}
add_shortcode("imagerender", "image_render_callback");

Fixing Arbitrary Plugin Installation

It can be fixed by ensuring that the user who’s installing the plugin has proper permissions and that an appropriate nonce check is being done in the action.

add_action('wp_ajax_nopriv_install_remote_plugin', function() {
if (
isset($_GET['install_plugin_url']) &&
current_user_can('install_plugins') &&
check_admin_referer('install_plugin_url_action')
) {
$plugin_url = esc_url_raw($_GET['install_plugin_url']);
include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
include_once ABSPATH . 'wp-admin/includes/file.php';
include_once ABSPATH . 'wp-admin/includes/misc.php';
$upgrader = new Plugin_Upgrader();
$upgrader->install($plugin_url);
}
});

Contributors

rafiem