The Woffice WordPress theme, widely used as a premium intranet/extranet solution with over 15,000 downloads, has contained at least two critical vulnerabilities that allow threat actors to fully take over the website by privilege escalation and unauthenticated account takeover. Developed by Xtendify, this theme is integral for team and project management on WordPress, leveraging its Woffice Core plugin.
The first vulnerability (CVE-2024-43153) is a privilege escalation flaw that allows unauthenticated users to register with any role on an affected website, including privileged roles like administrator. The potential consequences are severe, from website takeovers to malicious server code installations.
The root cause lies in the ‘registration()’ function of the Woffice Core plugin. The function allows users to submit a role via a POST parameter during registration. Without proper restrictions, attackers can register themselves as administrators or other high-privilege roles.
A patch was implemented to enforce a denylist, blocking administrator and super_admin_roles explicitly.
The second flaw (CVE-2024-43234) allows hackers to take over unauthenticated accounts. By exploiting broken authentication, an attacker can log in as any existing user, including site administrators, without needing their credentials. Like the first vulnerability, this flaw could lead to complete site compromise.
The ‘register_redirect()’ function in the same plugin introduced the second vulnerability. Attackers could exploit a security nonce from the registration page and use it to log in as any user by sending a crafted request with the nonce and the target user’s ID. The patch for this issue involved removing the vulnerable function entirely.
These vulnerabilities were introduced in Woffice’s custom login and registration functionality and were addressed in subsequent updates. The Privilege Escalation issue was resolved in version 5.4.12, while the Account Takeover vulnerability was patched in version 5.4.15.
Users are strongly advised to update to at least version 5.4.15 immediately to secure their sites.
“The vulnerabilities discussed here highlight the importance of secure registration. Administrators, reasonably, have a very impactful amount of power when it comes to control over a WordPress site — allowing unknown users this level of privilege can be extremely dangerous,” researchers concluded.
Researchers have urged developers to use allowlists for permissible user roles during registration, implement robust authentication mechanisms, and regularly audit and update plugins or themes to address security flaws promptly.
In the News: Researchers catch Chinese officials using mobile surveillance tool