Updated: 01.17.2023
Multiple Vulnerabilities Affecting Multiple MainWP Extensions
Dave
from patchstack

Introduction

At Patchstack we accept vulnerability reports from individual researchers but also do our own research - often by randomly selecting a plugin. This time it happens that, during a quick inspection of a MainWP extension, we found a vulnerability. This led us to performing the same inspection in the other MainWP extensions and came to the conclusion that some of them contained one or more vulnerabilities. Some less severe, some more severe. Note that we did not perform a full audit and it may or may not contain more vulnerabilities outside of what is listed below.

These vulnerabilities range from SQL injection to authenticated post/page deletion to arbitrary file deletion. We will list all our findings below. It is important to note that MainWP responded quickly and sent us fixed versions of most of these plugins to validate its fix, however, we delayed this publication as they needed some time to test and deploy all these fixed versions.

Vulnerabilities List

MainWP Broken Links Checker Extension (mainwp-broken-links-checker-extension)
Version: <= 4.0
Version Fixed: None, retired extension.
Vulnerability
: Unauth SQL injection, multiple locations in the plugin are vulnerable to SQL injection.
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP Boilerplate Extension (boilerplate-extension)
Version: <= 4.1
Version Fixed: 4.1.1
Vulnerability: Subscriber+ plugin settings change. Ability to create boilerplate tokens due to missing
authorization and nonce token check.
Vulnerability: Subscriber+ arbitrary post/page deletion due to missing authorization and nonce token check.

MainWP Article Uploader Extension (mainwp-article-uploader-extension)
Version
: <= 4.0.2
Version Fixed: 4.0.3
Vulnerability: Subscriber+ arbitrary file deletion. Also missing authorization and nonce token check.
Vulnerability: Subscriber+ arbitrary post/page deletion. Also missing authorization and nonce token check.

MainWP BlogVault Backup Extension (mainwp-blogvault-backup-extension)
Version
: <= 1.3
Version Fixed: None, retired extension.
Vulnerability: Subscriber+ arbitrary plugin installation. Also missing authorization and nonce token check.

MainWP Favorites Extension (mainwp-favorites-extension)
Version: <= 4.0.10
Version Fixed: 4.0.11
Vulnerability: Subscriber+ arbitrary plugin installation. Also missing authorization and nonce token check.
Vulnerability: Subscriber+ arbitrary file deletion. Also missing authorization and nonce token check.

MainWP White Label Extension (mainwp-branding-extension)
Version: <= 4.1.1
Version Fixed: 4.1.2
Vulnerability: Subscriber+ plugin settings change. Also missing authorization and nonce token check.

MainWP Buddy Extension (mainwp-buddy-extension)
Version: <= 4.0.1
Version Fixed: 4.0.3
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP WordPress SEO Extension (mainwp-seo-extension)
Version: <= 4.0.1
Version Fixed: 4.0.3
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP UpdraftPlus Extension (mainwp-updraftplus-extension)
Version: <= 4.0.6
Version Fixed: 4.0.7
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP Staging Extension (mainwp-staging-extension)
Version: <= 4.0.3
Version Fixed: 4.0.4
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP Page Speed Extension (mainwp-page-speed-extension)
Version: <= 4.0.2
Version Fixed: 4.0.3
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP iThemes Security Extension (mainwp-ithemes-security-extension)
Version: <= 4.1.1
Version Fixed: 4.1.2
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP Clone Extension (mainwp-clone-extension)
Version: <= 4.0.2
Version Fixed: 4.0.3
Vulnerability: Subscriber+ plugin settings change (clone update allowed sites, clone enabled) Also missing
authorization and nonce token check.

MainWP Code Snippets Extension (mainwp-code-snippets-extension)
Version
: <= 4.0.2
Version Fixed: 4.0.3
Vulnerability: Subscriber+ arbitrary PHP code injection. Also missing authorization and nonce token check.
Vulnerability: Subscriber+ stored XSS. Also missing authorization and nonce token check.
Vulnerability: Subscriber+ plugin settings change. Snippets can be deleted for example. Also missing
authorization and nonce token check.

MainWP Links Manager Extension (mainwp-links-manager-extension)
Version
: <= 2.1
Version Fixed: None, retired extension.
Vulnerability: Unauth PHP object injection due to direct call to unserialize with user input.

MainWP Comments Extension (mainwp-comments-extension)
Version
: <= 4.0.6
Version Fixed: 4.0.7
Vulnerability: Subscriber+ comment deletion/restoration/trash/approval. Also missing authorization and nonce
token check.

MainWP File Uploader Extension (mainwp-file-uploader-extension)
Version
: <= 4.1
Version Fixed: 4.1.1
Vulnerability: Subscriber+ arbitrary file deletion. Also missing authorization and nonce token check.
Vulnerability: Unauth arbitrary file upload (incl. PHP) Also missing authorization and nonce token check.

MainWP Google Analytics Extension (mainwp-google-analytics-extension)
Version
: <= 4.0.4
Version Fixed: 4.0.5
Vulnerability: Subscriber+ plugin settings change. Also missing authorization and nonce token check.
Vulnerability: Subscriber+ SQL injection. Also missing authorization and nonce token check.

MainWP Maintenance Extension (mainwp-maintenance-extension)
Version
: <= 4.1.1
Version Fixed: 4.1.2
Vulnerability: Subscriber+ SQL injection. Also missing authorization and nonce token check.
Vulnerability: Subscriber+ plugin settings change. Also missing authorization and nonce token check.

MainWP Matomo Extension (mainwp-piwik-extension)
Version
: <= 4.0.4
Version Fixed: 4.0.5
Vulnerability: CSRF leading to plugin settings change. Missing nonce token validation.

MainWP Post Dripper Extension (mainwp-post-dripper-extension)
Version
: <= 4.0.4
Version Fixed: 4.0.5
Vulnerability: Subscriber+ arbitrary post/page deletion. Also missing authorization and nonce token check.

MainWP Post Plus Extension (mainwp-post-plus-extension)
Version
: <= 4.0.3
Version Fixed: 4.1.1
Vulnerability: Subscriber+ arbitrary post/page deletion. Also missing authorization and nonce token check.

MainWP Rocket Extension (mainwp-rocket-extension)
Version
: <= 4.0.3
Version Fixed: 4.0.4
Vulnerability: Subscriber+ plugin settings change due to nonce token leakage. Also missing authorization.
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

MainWP UpdraftPlus Extension (mainwp-updraftplus-extension)
Version
: <= 4.0.6
Version Fixed: 4.0.7
Vulnerability: Unauth plugin settings change due to missing authorization and nonce token check.

MainWP Wordfence Extension (mainwp-wordfence-extension)
Version
: <= 4.0.7
Version Fixed: 4.0.8
Vulnerability: Subscriber+ plugin settings change. Also missing authorization and nonce token check.
Vulnerability: Subscriber+ arbitrary plugin activation. Also missing authorization and nonce token check.

Conclusion

As you can see from the extensive list above, most vulnerabilities occurred due to the fact that an authorization and/or a nonce token check was missing. It is important that any higher privileged actions always have both of these in place in order to prevent lower privileged users from exploiting this.

Even if there is a nonce token check but no validation of the authorization of the user, it could still be exploited if the nonce token is leaked.

Timeline

End October 2022 - We found the vulnerabilities and we released a virtual patch to all Patchstack paid version customers.
Begin November 2022 - We reached out to the developer of the plugin and gave them the information. The developer asked for some time to get it sorted.
16-12-2022 - Received the patches for us to validate. Developer asked to delay publication, so they have time to organize release of all the fixes.
17-01-2023 - Added the vulnerabilities to the Patchstack vulnerability database.
17-01-2023 - Published the article.

Websites with Patchstack paid version are protected from the vulnerabilities above and have received a virtual patch at the time of finding these vulnerabilities.

Help us make the internet a safer place

Making WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

  • If you're a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
  • If you're a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.

Share This Article
Related Articles
Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.
crossmenu