$197 Bounty Awarded for Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

On February 8th, 2024, during our Bug Bounty Extravaganza, we received a submission for an Arbitrary Post Deletion vulnerability in LeadConnector, a WordPress plugin with more than 20,000 active installations. This vulnerability could be used by unauthenticated attackers to delete arbitrary posts or pages.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $197.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 9, 2024. Sites using the free version of Wordfence received the same protection on March 10, 2024.

We contacted the LeadConnector Team on February 8, 2024. After not receiving a reply we escalated the issue to the WordPress.org Security Team on March 8, 2024. After that, the developer released a patch on April 23, 2024.

We urge users to update their sites with the latest patched version of LeadConnector, which is version 1.8, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: LeadConnector
Affected Plugin: LeadConnector
Plugin Slug:
leadconnector
Affected Versions:
CVE ID: CVE-2024-1371
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Researcher/s: Krzysztof Zając
Fully Patched Version: 1.8
Bounty Awarded: $197.00

The LeadConnector plugin for WordPress is vulnerable to unauthorized modification & loss of data due to a missing capability check on the lc_public_api_proxy() function in all versions up to, and including, 1.7. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Technical Analysis

LeadConnector is a WordPress plugin, which allows embedding LeadConnector funnel pages to the WordPress website.

Unfortunately, insecure implementation of the plugin’s API functionality allows for arbitrary post deletion. Examining the code reveals that the permission check for the proxy REST API endpoint registration is set to true. This means that this REST API endpoint is publicly accessible.

register_rest_route(‘lc_public_api/v1’, ‘proxy’, array(
// By using this constant we ensure that when the WP_REST_Server changes our readable endpoints will work as intended.
‘methods’ => WP_REST_Server::CREATABLE,
// Here we register our callback. The callback is fired when this endpoint is matched by the WP_REST_Server class.
‘callback’ => array($this, ‘lc_public_api_proxy’),
‘permission_callback’ => ‘__return_true’,
));

The lc_public_api_proxy() function is a proxy function, which means it handles multiple actions. One such action is “wp_delete_post”, which deletes the post based on the post id specified in the request.

if ($endpoint == “wp_delete_post”) {
$body = json_decode($params[‘data’]);
$post_id = $body->post_id;
$force_delete = $body->force_delete;

$post_info = wp_delete_post($post_id, $force_delete);
if (!$post_info) {
error_log(“fail to delete the post”);
return (array(
‘error’ => true,
‘message’ => “fail to delete the post”,
));

}
return $post_info;
}

Unfortunately, the function does not include a capability check. This makes it possible for unauthenticated attackers to delete posts arbitrarily, which can result in a loss of data. This vulnerability highlights the importance of having proper back-ups, because if an attacker successfully deletes posts you would need a reliable way to recover those posts.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious REST API action and blocks the request if it does not come from an existing authorized editor or administrator.

Disclosure Timeline

February 8, 2024 – We receive the submission of the Arbitrary Post Deletion vulnerability in LeadConnector via the Wordfence Bug Bounty Program.
February 8, 2024 – We validate the report and confirm the proof-of-concept exploit.
February 8, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
February 9, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
March 8, 2024 – We escalate the vulnerability to the WordPress.org Security Team and send over the full disclosure details.
March 10, 2024 – Wordfence Free users receive the same protection.
March 15, 2024 – The WordPress.org Security Team acknowledges the report.
April 23, 2024 – The fully patched version of the plugin, 1.8, is released.

Conclusion

In this blog post, we detailed an Arbitrary Post Deletion vulnerability within the LeadConnector plugin affecting versions 1.7 and earlier. This vulnerability allows unauthenticated threat actors to delete arbitrary posts from the WordPress website. The vulnerability has been fully addressed in version 1.8 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of LeadConnector.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 9, 2024. Sites using the free version of Wordfence received the same protection on March 10, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post $197 Bounty Awarded for Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin appeared first on Wordfence.

Leave a Comment