Skip to content

Two critical flaws in BookingPress plugin allow full site takeover

  • by
  • 4 min read

Two critical vulnerabilities in the BookingPress WordPress plugin, which boasts over 10,000 active installations, allow hackers to create arbitrary files on the server and upload files without proper validation.

The first flaw allows authenticated users to create files on the server without proper authorisation. This vulnerability enables attackers to insert malicious codes or access sensitive information from local and remote sources.

The issue affects all plugin versions up to and including 1.1.5, and potential consequences include unauthorised file uploads, execution of arbitrary PHP code, and exposure of confidential data.

The vulnerability stems from inadequate security measures in the plugin’s file-handling process. Specifically, the affected function — bookingpress_save_lite_wizard_settings_func — fails to implement necessary checks to verify user permissions, doesn’t properly restrict file types during uploads, and lacks appropriate access controls.

These security gaps allow even users with minimal privileges to exploit the vulnerability. These flaws create significant risks, potentially allowing attackers to compromise the WordPress site by uploading and executing malicious code or accessing sensitive configuration files and other protected data.

“Examining the code reveals no restriction on the file extension. This means that a file can be copied from a local or remote source to a destination with an arbitrary extension through the put_contents() function,” explained researchers. “This makes it possible for attackers to upload arbitrary malicious PHP code from a remote source and then access the file to trigger remote code execution on the server.”

The second vulnerability allows authenticated users to alter WordPress settings and upload files without authorisation. The issue affects multiple plugin versions, with the latest being version 1.1.5.

The potential consequences of this flaw are significant, as it can be exploited to gain elevated privileges on the affected site. Attackers could modify crucial WordPress options and introduce malicious files, leading to a complete website takeover.

The vulnerability centres around a poorly secured function — bookingpress_import_data_continue_process_func — that is responsible for handling data imports. This function lacks essential security protocols, including user authentication and input sanitisation.

As a result, it’s open to exploitation by unauthorised parties. By leveraging this weakness, an attacker could manipulate various WordPress settings, including those governing user roles and registration processes. This could enable the creation of new accounts with administrative privileges, effectively granting unrestricted access to the site.

Additionally, the function’s file upload mechanism is flawed, failing to screen uploaded files. This oversight allows harmful scripts to seep into the server, which could be used to execute unauthorised commands.

“Once an attacker has edited the site options they can create an administrative account on the WordPress site and then, once registered and logged in, they can then manipulate anything on the targeted site, just like a normal administrator would,” researchers said. “This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.”

Combining these two security gaps poses a substantial risk to WordPress sites using the affected plugin.

Four WordPress plugins were hit by a supply chain attack. In June, five WordPress plugins, including Social Warfare, BLAZE Retail Widget, Wrapper Link Elementor, Contact Form 7 Multi-Step Addon, and Simply Show Hooks, were vulnerable to several malicious code injections.

Another vulnerability was found in the Login/Signup Popup plugin with over 40,000 active installations. In May, another set of critical vulnerabilities were found in three WordPress plugins.

In the News: Intel identifies cause of CPU crashes; fix expected in mid-August

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>