đ˘ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Through October 7th, 2024, XSS vulnerabilities in all plugins and themes with >=1,000 Active Installs are in scope for all researchers. In addition, through October 14th, 2024, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.
On August 4th, 2024, we received a submission for an Arbitrary File Deletion vulnerability in MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaar, a WordPress plugin with over 20,000 active installations. This vulnerability can be leveraged by attackers to delete critical files like wp-config.php which can lead to remote code execution by authenticated attackers with minimal permissions such as subscribers.
Props to Arkadiusz Hydzik who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $705.00 for this discovery. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.
All Wordfence users, including Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected by the Wordfence Firewallâs built-in directory traversal and local file inclusion rules.
We sent the full disclosure details to the pluginâs author on August 16th, 2024 and they acknowledged the report the same day. The patch was released just over a week later on August 27th, 2024. We commend the team at Sonaar for the quick response and remediation of this vulnerability.
We urge users to update their sites with the latest patched version of MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaar, version 5.7.1 at the time of this writing, as soon as possible.
Vulnerability Summary from Wordfence Intelligence
Affected Plugin: MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaar
Plugin Slug: mp3-music-player-by-sonaar
Affected Versions: <= 5.7.0.1
CVE ID: CVE-2024-7856
CVSS Score: 9.1 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Arkadiusz Hydzik
Fully Patched Version: 5.7.1
Bounty Award: $705.00
The MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the âfileâ parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible when wp-config.php is deleted.
Technical Analysis
The MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaar plugin is designed to allow site owners to upload and host an audio player on their WordPress website. One feature of the plugin is the ability to upload audio peak files. Unfortunately, part of this functionality that deletes temporary files was insecurely implemented making it possible to supply arbitrary files to be deleted.
The root of the problem was present in the removeTempFiles() function which had two flaws: no authorization check and insufficient validation on the âfileâ parameter. The function does check if the file is in the audio_peaks directory, however, it does not account for any directory traversal which makes it possible for a user to supply a path to the audio peaks directory and then traverse out using a directory traversal sequence like â../â to delete any arbitrary file through the wp_delete_file() function.
public function removeTempFiles(){
// will unlink the temporary peak file and generate another one automatically.
check_ajax_referer(‘sonaar_music_admin_ajax_nonce’, ‘nonce’);
$is_temp = filter_input(INPUT_POST, ‘is_temp’, FILTER_VALIDATE_BOOLEAN);
$file = filter_input(INPUT_POST, ‘file’, FILTER_SANITIZE_STRING);
if ($is_temp && $file) {
$upload_dir = wp_get_upload_dir();
$peaks_dir = $this->get_peak_dir();
$file_path_temp = str_replace($upload_dir[‘baseurl’] . $this->get_peak_dir(true), $peaks_dir, $file);
if (strpos($file_path_temp, $peaks_dir) === 0 && file_exists($file_path_temp)) {
wp_delete_file($file_path_temp);
}
}
This function is hooked via a WordPress AJAX action, making it accessible to all authenticated users regardless of their privileges considering no authorization checks were present.
add_action(‘wp_ajax_removeTempFiles’, array($this, ‘removeTempFiles’));
While a nonce check was present, the nonce was generated through the enqueue_scripts() function of the Sonaar_Music_Admin class, hooked via âadmin_enqueue_scriptsâ when the â$hookâ or page path matches sr_playlist_page_srmp3_settings_.
This makes it possible for authenticated users to âspoofâ a path like /wp-admin/index.php/%0a/wp-admin/sr_playlist_page_srmp3_settings_ which will generate a valid nonce and provide it in the source code of the page. This means that any authenticated user should be able to pass the nonce check and access the functionality if they have access to the wp-admin dashboard.
if (strpos($hook, SR_PLAYLIST_CPT . ‘_page_srmp3_settings_’) === 0) {
wp_enqueue_script( ‘cmb2_image_select_metafield-js’, plugin_dir_url( __FILE__ ) . ‘library/cmb2-image-select-field-type/image_select_metafield.js’ , ”, ‘1.0.0’, true ); // Used for plugin settings page only. it does not work on group repeater fields
wp_enqueue_script( ‘sonaar-music’, plugin_dir_url( __DIR__ ) . ‘public/js/sonaar-music-public.js’, array( ‘jquery’ ), $this->version, true ); // used for peak generation
wp_localize_script(‘sonaar-admin’, ‘sonaar_music’, array(
‘plugin_version_free’=> SRMP3_VERSION,
‘plugin_version_pro’=> ( defined( ‘SRMP3PRO_VERSION’ ) ? SRMP3PRO_VERSION : ‘Not Installed’ ),
‘ajax’ => array(
‘ajax_url’ => admin_url( ‘admin-ajax.php’ ),
‘ajax_nonce’ => wp_create_nonce( ‘sonaar_music_admin_ajax_nonce’ ),
‘ajax_nonce_peaks’ => wp_create_nonce( ‘sonaar_music_ajax_peaks_nonce’ ),
),
));
đĄTip for Security Researchers Participating in our Bug Bounty Program
Keep an eye out for functions that only have a nonce check present and no capability check. Review the code where the nonce is created (i.e. wp_create_nonce() and wp_nonce_field()) and see if that is invoked on pages or through functions without any form of access control. Itâs very possible that the nonce can be found by users that should not have access to invoke the nonce-protected function.
A common hook that is accessible to subscribers and may have nonce generating code is admin_enqueue_scripts. A simple view-source: on /wp-admin may reveal any nonces generated by this hook if no capability checks are present.
The developer patched this by implementing a capability check and better path validation on the âfileâ parameter so that only files in the audio_peaks directory could be deleted, and directory traversal attempts would be stripped.
Arbitrary file deletion vulnerabilities are a serious issue in WordPress. When present, an attacker can delete the wp-config.php file which makes WordPress treat the instance as a new install. The attacker can then access the WordPress setup page, connect their own database to the site to deliver spam, and then further infect the filesystem by installing malicious plugins or utilizing the plugin/theme editors to inject backdoors.
Developer Reminder: Never Use Nonces For Access Control
This vulnerability serves as an important reminder that nonce checks alone are not a valid protection mechanism for authorization. Developers must use capability checks like current_user_can() to properly validate if a user has the authorization to be performing a specific action. Nonces should only be used for Cross-Site Request Forgery protection and to verify that a user intended to perform a specific action.
Weâve covered this in depth in a previous article which you can about read here. There have been many instances where nonces have been used as a means of access control, however, the nonce was present on pages available to authenticated, or even unauthenticated users, or functionality they have access to which effectively negates any protection.
Disclosure Timeline
August 4, 2024 â We received the submission for the Arbitrary File Deletion vulnerability in MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaa via the Wordfence Bug Bounty Program.
August 15, 2024 â We validated the report and confirmed the proof-of-concept exploit. We also confirm that Wordfence users are adequately protected.
August 16, 2024 â We sent over the full disclosure details via the vendorâs security issues form.
August 16, 2024 â The vendor acknowledged the report and began working on a fix.
August 27, 2024 â The fully patched version of the plugin, 5.7.1, was released.
Conclusion
In this blog post, we detailed an Arbitrary File Deletion vulnerability within the MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaar plugin affecting versions 5.7.0.1 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to delete arbitrary files on the server which can be leveraged to achieve remote code execution and lead to complete site compromise. The vulnerability has been addressed in version 5.7.1 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of MP3 Audio Player â Music Player, Podcast Player & Radio by Sonaar as soon as possible considering the critical nature of this vulnerability.
All Wordfence users, including Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response users are protected by the Wordfence Firewallâs built-in directory traversal and local file inclusion rules.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post Critical Arbitrary File Deletion Vulnerability in MP3 Audio Player WordPress Plugin Affects Over 20,000 Sites appeared first on Wordfence.