on 20-Nov-2018 05:00
Earlier this month (November 2018), RIPS Technologies blogged about a design flaw within WordPress that allows privilege escalation. WordPress is one of the most commonly used Content Management System (CMS) and is used by over 32% of the websites. WooCommerce is the most commonly used ecommerce plugin for WordPress and is used by 28% of all online stores.
The flaw discovered in WordPress combined with a vulnerability in WooCommerce allows an authorized non-privileged user to escalate privileges and take over an administrator account.
A skilled attacker can combine these two vulnerabilities to escalate privileges. Once a user has logged in as a Shop Manager (internal attacker, stealing cookies, etc.), the attacker can edit the file path for log deletion and instead delete woocommerce.php. Since WordPress would not be able to load the WooCommerce plugin, it would disable it. Once the plugin has been disabled, a user with Shop Manager role would be able to edit an administrator’s account (privilege check was handled by WooCommerce).Figure 6: Log file delete request manipulated by the attacker in attempt to delete the WooCommerce plugin main PHP file
BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing “Directory traversal” attack signatures.