Security Advisory – Vulnerabilities in Pagelines/Platform theme for WordPress
Advisory for: Pagelines and Platform Themes
Security Risk: Very High
Exploitation level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation / Remote Code Execution
Patched Version: 1.4.6
Users of both the Pagelines and Platform themes should update as soon as possible. During a routine audit for our WAF, we found two dangerous issues: A Privilege Escalation vulnerability affecting both themes and a Remote Code Execution issue for Platform.
What are the risks?
Any website using a vulnerable version of the Platform theme (<1.4.4) is at risk of a total site takeover.
An attacker can execute PHP code to infect your website with malware, SEO spam and other nefarious acts. For those using a vulnerable version of the Pagelines theme (<1.4.6), an attacker needs to be able to register an account on the victim’s website in order to successfully exploit the Privilege Escalation vulnerability. As for the first vulnerability, a successful exploitation could allow an attacker to do pretty much anything he wants with his victim’s website (by using, for example, WordPress theme file editor).
Technical details
1 – Privilege escalation on Pagelines and Platform
Both themes used a WordPress ajax hook to modify a few set of options.
Because all wp_ajax_ hooks are usable by any logged-in users (no matter what privileges they have on the target site), a subscribed user could use this hook to overwrite any options located on WordPress options database table. For instance, this would allow them to overwrite the ‘default_role’ option with a value like ‘administrator’, which would grant every new users on the site with an administrator account!
2 – Remote Code Execution on Platform
The theme used a somewhat unconventionnal way to import theme settings backups.
As you can see from the above snippet, the theme inserts the backup file into the theme’s execution context using a call to the include() PHP function. As this may not necessarily be a vulnerabiltity by itself (we don’t know yet if we can actually trigger this piece of code as an unauthenticated user), we decided to backtrace the issue, finding that the function using this code was called from another function called pagelines_register_settings().
Which was itself hooked to the admin_init hook, which is known to be executed when a guest visitor visits either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, thus allowing anybody to used the aforementioned snippet of code and gain full privilege on the website.
Update as soon as possible!
Again, if you’re using a vulnerable version of any of these two themes, update as soon as possible! In the event where you could not do this, we strongly recommend you having a look at our Website Firewall to get it patched virtually.