14 DAY TRIAL // Two critical vulnerabilities have been discovered in PageLines and Platform themes for WordPress, allowing a potential attacker to gain admin privileges to websites.
Security researchers also discovered that in the case of Platform there is another security bug, which permits an attacker to execute arbitrary code remotely, which could also lead to gaining full privilege on the website.
WordPress Ajax hook used to gain elevated rights
Marc-Alexandre Montpas from Sucuri says that both themes relied on a WordPress Ajax hook to change some options. This hook allows any user that is logged into the website to overwrite the settings available in the WordPress options database table.
Gaining admin rights on a website is what any cybercriminal wants, and in this case, it could be achieved by changing the “default_role” value to administrator.
The vulnerability affects all versions of the two themes except the most recently released ones, PageLines 1.4.6 and Platform 1.4.4.
Remote code execution glitch in Platform
In the case of the remote execution security issue affecting Platform theme, Montpas says that the bug was caused by a less common method for importing backups of the theme settings.
He said that “the theme inserts the backup file into the theme’s execution context using a call to the include() PHP function. As this may not necessarily be a vulnerabiltity by itself (we don’t know yet if we can actually trigger this piece of code as an unauthenticated user), we decided to backtrace the issue, finding that the function using this code was called from another function called pagelines_register_settings().”
As the function is hooked to admin_init, an attacker could create code that would grant admin privileges.
At the moment, there is no evidence that cybercriminals exploited any of the glitches. However, the obvious recommendation is to update the themes without delay in order to mitigate any risk.
