Identical high severity vulnerabilities could allow malicious script uploads in Post Grid and Team Showcase Plugins

The WordFence Threat Intelligence team has discovered two almost identical high severity vulnerabilities two WordPress plugins namely Post Grid, a WordPress plugin with over 60,000 installations, and Team Showcase, a separate plugin by the same author with over 6,000 installations.

The patches for both plugins have been availed already while Wordfence Premium users received a firewall rule protecting both plugins from both vulnerabilities on September 16, 2020. Sites still running the free version of Wordfence will receive this rule after 30 days, on October 16, 2020.

It is very important to always make sure you are updating your plugins and WordPress version from time to time to ensure that you are safe from any vulnerabilities. You will also be able to get patches as soon as they are released. This ensures taht your website is always secure and hardened from malicious attacks. Ensure you also vet your themes and plugins regularly.

Post Grid a popular WordPress plugin enables users to display their posts in a grid layout, Team Showcase, on the other hand, is used to showcase an organization’s team members. Both of these plugins allowed the import of custom layouts, and contained nearly identical functions in order to import these layouts. Post Grid no longer actually made use of the vulnerable import function, though the vulnerable code was still present.

How the Identical high severity vulnerabilities could allow malicious script uploads in Post Grid and Team Showcase Plugins

In both cases, a logged-in attacker with minimal permissions such as subscriber could trigger the functions by sending an AJAX request, with the action set to post_grid_import_xml_layouts for the Post Grid plugin or team_import_xml_layouts for the Team Showcase plugin, with each action triggering a function with the same name.

Additionally, in the Post Grid plugin, the post_grid_import_xml_layouts function could also be triggered via a shortcode. By default, this meant that only authenticated users would be able to to activate it. Any 3rd party plugin allowing unauthenticated shortcode execution, however, would extend the vulnerability to unauthenticated attackers.

The post_grid_import_xml_layouts and team_import_xml_layouts functions could also be used for PHP Object Injection using the same mechanism as the XSS attack. This was possible because the vulnerable functions unserialized the payload supplied in the source parameter.

As such an attacker could craft a string that would be unserialized into an active PHP Object. Although neither plugin utilized any vulnerable magic methods, if another plugin using a vulnerable magic method was installed, Object Injection could be used by an attacker. Doing so would allow a malicious actor to execute arbitrary code, delete or write files, or perform any number of other actions that could lead to site takeover.

As with the XSS vulnerability, the PHP Object injection vulnerability would typically require the attacker to have an account with at least subscriber level privileges. However, sites using a plugin or theme that allowed unauthenticated visitors to execute arbitrary shortcodes would be vulnerable to unauthenticated attackers.

Read more about this vulnerability on the WordFence Blog

Read more of our WPChase security blogs here

Wonderful!, just before you go: Please subscribe to our website for the latest tips, ideas, and recommendations to make your WordPress site wonderful.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 151 other subscribers