Critical vulnerability found in WordPress plugin Convert Plus

News by Doug Olenick

For the second time last week, a WordPress plugin has been found vulnerable, this time allowing an attacker to gain administrative privileges in plugin Convert Plus.

Convert Plus, which has 100,000 active installs, is a commercial lead generation tool containing a critical-rated "unauthenticated administrator creation" flaw, according to Wordfence. If exploited, the flaw allows an attacker to create and register new accounts with various privilege levels up to administrator.

Those using Convert Plus version 3.4.2 need to immediately update to version 3.4.3, Wordfence said.

"We have released a firewall rule to protect Wordfence Premium users who may not be able to update yet, but we still recommend installing the patch. Free users will receive the new rule after thirty days," Wordfence said in a blog post.

The issue was found on 24 May and a patch was released on 28 May, the same day a firewall rule was released for Wordfence Premium users. On 27 June, the firewall rule will roll out for all users.

Earlier last week, researchers at Defiant found a vulnerability in the plugin Slick Popup.

The problem appears in the new subscriber portion of the plugin. The form for handling new subscribers allows administrators to define a user role for the email address being added.

By default, the user value is set to none, but the site’s owner can have a list of roles in place, such as new subscriber, to choose from. Even though the admin role is not included as a possibility in the list, there is a way to add it.

"In vulnerable versions of the plugin, this intended user role was not fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user. Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user," Wordfence said.

Because no filtering is applied when the subscription is created, an attacker can submit a subscription form and change value of cp_set_user to administrator, and the plugin will create that type of account associated with the new email. Although a randomised password is also generated, the newly found admin can obtain a new one by using the password reset function.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews