The decision to publicly report a vulnerability that has no patch does not come easily, however, in certain circumstances it is the only option available to protect users from running insecure code.
You may have guessed where I am going with this if you have been reading or listening to the Patchstack Security Weekly updates over the last few weeks.
This post will be discussing the first batch of vulnerabilities in the Patchstack Alliance’s backlog of vulnerabilities with no patch available.
Why full disclosure?
It is not uncommon for open source developers to either abandon or have insufficient time to continue committing code towards a free project. However, if a developer is not providing security patches, then their software is dangerous to run. Users need to be aware of the risks of running this software with security flaws, so they can take steps to mitigate the issue themselves (if possible.)
In this case, the same insecure code was found in dozens of themes by the same design firm. We reached out to the developer/design firm, who unfortunately was non-communicative with our staff.
It has been over 30 days and we have exhausted all means available to discuss the issue privately with the developer. Since we have no timeline for when, or if, these themes will receive a patch and with the safety of sites who are be running these themes in mind, we are disclosing the list of affected themes at this time and will do our best to help secure these sites.
We are making mitigation strategies available privately for now, because disclosing them publicly will also assist with writing vulnerabilities. Please see the Defense Options listed below if you would like to know how to protect websites against these vulnerabilities.
Vulnerability details
It may sound surprising that themes have security vulnerabilities in them, but if a theme includes PHP code, then that code can have vulnerabilities in it. There are 4 vulnerabilities we found in these themes.
- Authenticated arbitrary file upload
- Authenticated arbitrary plugin enable/disablement
- Authenticated data deletion
- Lack of CSRF checks in authenticated actions
The authenticated arbitrary file upload vulnerability is the most critical of the four.
The initial report was made by Lenon Leite, who identified the authenticated arbitrary file upload vulnerability. The three additional vulnerabilities we uncovered by Vlad Visse.
Potential impact
The total number of sites with these themes installed is approximately 50,000. Not all of these sites are at risk though, because the attack requires authentication to perform.
Sites that restrict user accounts to only trusted users are at a lower or no risk, however, any website running one of these themes and enabled user registration needs to take action immediately as users with subscriber-level accounts can exploit this vulnerability and take over the site.
What went wrong?
The developer appears to have missed adding a quick authorization check in their code. The fix here is checking if the user is authorized to upload PHP files before performing the action.
We have talked about the importance of Authorization checks before, in Patchstack Weekly 45. If you are interested in learning more about secure coding topics, the Patchstack Security Weekly is a great place to learn and stay up to date on security topics.
Defense options
If you are using the paid Patchstack app to protect your websites, we have already provided a vPatch for you.
In fact, WordPress sites with a web application firewall that is up to date on WordPress-specific vulnerability may already be protected. We will get into more details on this in the next post, but, in short: This is not the first time this developer/designer has included insecure code.
Patchstack hosting partners have been informed and provided guidance on web application firewall rules to help protect their customers.
If you are a hosting provider and would like to join our secure hosting partners and receive regular intelligence updates about vulnerabilities in open source components, please reach out.
If you are a site owner and would like instructions on how to patch the theme manually to make it safe, please reach out. We will be glad to provide instructions and a patch for these themes.
Affected themes (first batch)
Disclosure timeline
2021-11-28 Lenon Leite reports the vulnerabilities.
2021-12-02 We verified Lenon’s report and reached out to the Developer. vPatches released to Patchstack Developer users.
2021-12-09 No response, we reached out again.
2021-12-22 Developer acknowledges the issue.
2021-12-22 We reply, requesting a timeline.
2022-01-04 No response. We ask for a timeline again.
2022-01-06 Patchstack vPatch updated (to apply to additional components).
2022-01-10 We escalate the issue to the WordPress.org Themes Repository.
2022-01-11 Vulnerabilities are added to the Patchstack Database.
Next time …
The above list is not a complete list of affected components, and the timeline also has additional details we have not yet reported. This is still an ongoing issue, and we hope the developer takes action soon and releases patches to address this insecure code. If not, then we will continue to release more details so site owners are able to take action to protect their websites.
Please check back in here at the Patchstack blog for more details as they become available.