Advertisement






WordPress WP Project Manager 2.6.4 Privilege Escalation

CVE Category Price Severity
CVE-2023-3636 CWE-269 $500 High
Author Risk Exploitation Type Date
Author Name High Remote 2023-08-11
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023080047

Below is a copy:

WordPress WP Project Manager 2.6.4 Privilege Escalation
Description: WP Project Manager <= 2.6.4  Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation 

Affected Plugin: WP Project Manager  Task, team, and project management plugin featuring kanban board and gantt charts

Plugin Slug: wedevs-project-manager

Affected Versions: <= 2.6.4

CVE ID: CVE-2023-3636

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Lana Codes and Chloe Chamberland 

Fully Patched Version: 2.6.5

The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the save_users_map_name function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the usernames parameter.

Technical Analysis

WP Project Manager plugin is a task, project, and team management tool for WordPress. Upon closer examination of the code, we see that there is an API endpoint, the save_users_map_name function, which updates a users github and bitbucket username.

[View this code snippet on the blog.]  

The most significant problem and vulnerability is caused by the way the explode() and in_array() functions are used to ensure that only the github and bitbucket meta values can be updated. Unfortunately, these functions are not sufficient to prevent exploitation, because they can be bypassed with a special character, known as a homoglyph, that acts like an underscore, however, wont be properly exploded but will be saved in the database as a proper underscore.

This made it possible for authenticated users, such as subscribers, to supply the wp_capabilities array parameter with any desired role, such as administrator, when updating what should be username metadata, which would grant the user access to capabilities based on that role.

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Disclosure Timeline

July 9, 2023  Discovery of the Privilege Escalation vulnerability in WP Project Manager.

July 11, 2023  We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.

July 13, 2023  Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.

July 16, 2023  The vendor confirms the inbox for handling the discussion.

July 16, 2023  We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

July 24, 2023  A fully patched version of the plugin, 2.6.5, is released.

August 12, 2023  Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed a Privilege Escalation vulnerability within the WP Project Manager plugin affecting versions 2.6.4 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 2.6.5 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Project Manager.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on July 13, 2023. Sites still using the free version of Wordfence will receive the same protection on August 12, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.