The Post Grid and Gutenberg Blocks plugin, installed on more than 40,000 websites, recently patched a privilege escalation vulnerability that allowed unauthorised users to elevate their permissions to those of an administrator, leaving the websites vulnerable to complete compromise by threat actors.
The vulnerability in versions 2.2.87 through 2.2.90 stems from the plugin’s insecure implementation of a feature that allows users to add custom meta fields through form submissions.
Specifically, attackers with subscriber-level access or higher could exploit this flaw to update the ‘wp_capabilities’ user meta key, effectively granting themselves administrator privileges.
“The functionality used to add custom user meta to the user profile editing form was insecurely implemented, making it possible for users to supply arbitrary user meta keys and update their values, including the wp_capabilities
key. This specific functionality was introduced in version 2.2.87,” researchers said.
This bypassed normal access control checks due to the absence of validation on user meta fields and active form checks, making exploitation relatively straightforward.
“The vulnerability here is quite easy to understand. There were no restrictions or checks on the user meta keys or values being obtained from the ‘user_meta
’ parameter meaning any key/value combination could be supplied,” researchers explain. “This makes it possible for authenticated users to supply the array wp_capabilities[administrator]=1
via the ‘user_meta
’ parameter which will get saved in the database and update the currently authenticated user’s role to the administrator.”
Once attackers gain administrator-level access, they could compromise the entire site, including installing malicious plugins, theme alternations, or running arbitrary code.
Although the plugin’s developer, PickPlugin, initially delayed responding to the disclosure, they rolled out a patch on September 5, 2024. The latest version, 2.2.91, resolves the issue by introducing stricter controls. Administrators can define which user meta fields can be updated, thereby preventing arbitrary updates to critical user roles.
A few weeks back, a vulnerability in LiteSpeed Cache plugin affected more than six million websites. Similarly, another plugin, Bit File Manager was exposed to RCE flaw.
During previous months, several WordPress plugins such as JS Help Desk, Keydatas, BookingPress, and ProfileGrid were also found to be vulnerable to critical flaws.
In the News: OpenAI’s ‘Strawberry’ project targets advance AI reasoning