A serious security flaw has been discovered in the widely used JS Help Desk plugin for WordPress. The vulnerability could potentially expose over 5,000 websites to unauthenticated Remote Code Execution (RCE) attacks. The vulnerability has highlighted ongoing concerns about the security of third-party plugins within the WordPress ecosystem.
The flaw in all JS Help Desk plugin versions up to and including version 2.8.6. It stems from inadequate input sanitisation and missing capability checks within the plugin’s code. Specifically, the vulnerability resides in the ‘storeTheme’ function, part of the plugin’s theme management functionality.
Due to the lack of proper checks, malicious actors can exploit this function to inject arbitrary PHP code into the ‘style.php’ file, leading to potential remote code execution.
The vulnerability allows attackers to manipulate the ‘savetheme’ function, which is designed to handle theme-related requests. Although nonce protection is in place, attackers can still obtain the nonce in vulnerable versions, effectively bypassing the security measure.
Once exploited, this vulnerability enables unauthorised users to append malicious code to the ‘style.php
‘ file. The injected code is executed when this file is subsequently loaded, potentially leading to complete site compromise. This can result in the deployment of web shells, unauthorised data access, or further exploitation of the server.
“This portion is what makes it possible for unauthenticated attackers to append arbitrary malicious PHP code to the style.php
file, and thus, when the style.php file is loaded, trigger remote code execution on the server,” researchers explained. “By default, this file is loaded at the end of the storeTheme()
function through the updateColorFile()
function in the JSSTjssupportticketModel
class.”
The JS Help Desk development responded promptly to the vulnerability disclosure, releasing an initial patch on July 29, 2024, with a subsequent update on August 5, 2024, to fully address the issue.
The final fix was implemented in the plugin’s version 2.8.7 and included the necessary authorisation and cross-site request forgery (CSRF) protections to prevent future exploitation.
On July 1, four WordPress plugins were hit by a supply chain attack. Last month, it was reported that an Arbitrary Options Update Flaw affected over 40,000 Login/Signup Popup plugin installations.
In May, three WordPress plugins — WP Statistics, WP Meta SEO, and LiteSpeed Cache — were affected by cross-site scripting attacks.
In the News: Google deactivates Russian AdSense accounts amid geopolitical tensions