WordPress sites using the Frontend File Manager plugin are vulnerable to a critical cross-site scripting (XSS) flaw. That allows remote unauthenticated users to inject JavaScript code into vulnerable websites and create admin user accounts.

The flaw is one of six critical flaws affecting Front File Manager versions 17.1 and 18.2. Which used on over 2,000 websites. Each of the flaws, which made public on Monday, has a patch.

According to researchers from the Ninja Technologies Network, the bugs expose sites running the plugin to a wide range of remote code execution attacks, giving attackers the ability to change or delete posts, set up a spam relay, gain privilege escalation. And carry out stored cross-site scripting (XSS) attacks.

Users can upload files to a website’s admin using the WordPress plugin. Each file is saved in a user’s personal directory, allowing them to manage their files after logging in.

XSS flaw allows for unverified content injection

According to researchers, the XSS flaw allows for unauthenticated content injection.

When someone edits a website post, the unauthenticated “wpfm_edit_file_title_desc” AJAX action loads a function (“wpfm_edit_file_title_desc”). However, it lacks a security nonce and fails to verify that users are editing their own posts. As a result, an unauthenticated user on the blog can change the content and title of every page and post.

“In addition, if the post type is wpfm-files, it is possible to inject JavaScript code in the post title because the plugin relies only on the WordPress esc_attr function to sanitize the $_REQUEST[‘file_title’] variable, which will be echoed outside HTML attributes in the backend section,” researchers added. “The JavaScript code will be executed when an admin user visits the plugin’s settings pages.”

As a result, an unauthenticated user could inject JavaScript code to create a user account for an administrator.

Privilege Escalation

According to a Monday posting, a privilege escalation issue is caused by the “wpfm_get_current_user” function, which is used to retrieve a user ID from the “nmedia-user-file-uploader/inc/helpers.php” script.

“It retrieves the user ID from the WordPress get_current_user_id function if the user is authenticated, or from the plugin’s wpfm_guest_user_id option if the user is not logged-in,” researchers explained. “However, the user, authenticated or not, can assign any ID to the $_GET[‘file_owner’] variable in order to override $current_user_id L318, which could lead to privilege escalation.”

Authenticated Settings Change and Arbitrary File Upload

Another flaw allows a logged-in user to change the plugin’s settings.

“The ‘wpfm_save_settings’ function from the ‘nmedia-user-file-uploader/inc/admin.php’ script is loaded by the wpfm_save_settings AJAX action (authenticated),” researchers explained. “It is used to save the plugin’s settings. There’s no capability check or security nonce.”

So, an attacker can exploit it by adding PHP to the list of allowed file types.

“Using the ‘wpfm_upload_file’ AJAX action, the attacker could then upload a PHP script that would be saved and accessible as ‘http://example.com/wp-content/uploads/user_uploads/<username>/<file>.php,’ which would lead to remote code execution,” according to the analysis.

XSS Flaw Allows Unauthenticated Page and Post Deletion

A fourth flaw allows an unauthenticated attacker to delete all of the blog’s pages and posts.

“The unauthenticated ‘wpfm_delete_file’ AJAX action (unauthenticated) loads the ‘wpfm_delete_file’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers said. “It takes an ID, $_REQUEST[‘file_id’], and deletes the corresponding post L708.”

The issue is that the plugin lacks a security nonce. And does not verify that the user has permission to delete the corresponding post.

“There’s only a call to the unsafe ‘wpfm_get_current_user’ function. But the result, ‘$curent_user,’ is not even checked in the code,” according to Ninja Technologies Network.

Unauthenticated Post Meta Change and Arbitrary File Download

Attackers can also alter any post metadata, which could result in an arbitrary file download, according to the firm.

“The .wpfm_file_meta_update’ AJAX action (unauthenticated) loads the ‘wpfm_file_meta_update’ function from the ‘nmedia-user-file-uploader/inc/files.php’ script,” researchers explained. “It is used to modify post metadata. There’s no capability check or nonce, and the data is not validated or sanitized.”

Attackers can exploit the hole to alter post metadata by assigning “wpfm_dir_path” to “$meta_key” and “wp-config.php” to “$meta_value”. And then download the “w5p-config.php” script instead of the uploaded file, according to the analysis

Unauthenticated HTML Injection

Last but not least, an unauthenticated user can use the blog to send spam.

The bug stems from the “wpfm_send_file_in_email” function in the “nmedia-user-file-uploader/inc/callback-functions.php” script. Which allows a user to send an email “Because it is sent in HTML format and it isn’t sanitized. It is possible to inject HTML code (text formatting, CSS, images, etc.) in order to fully customize the email,” according to the post.

“Additionally, even if ‘$_REQUEST[‘file_id’]’ is empty or invalid, the message will be sent anyway.

WordPress Plugin Woes

Users should upgrade to version 18.3 or higher, which was released on June 26, to protect themselves from attacks.

For attackers looking to compromise websites, WordPress plugins continue to offer exploitable bugs.

Researchers warned in January that a WordPress plugin called Orbit Fox had two vulnerabilities, one of which was critical, that could allow attackers to inject malicious code into vulnerable websites and/or take control of them.

In the same month, a plugin called PopUp Builder. Which is used by WordPress websites to create pop-up ads for newsletter subscriptions. Was discovered to have a vulnerability that could be used by attackers to send out customized newsletters or delete or import newsletter subscribers.

An unpatched stored cross-site scripting (XSS) security bug was discovered in February, potentially affecting 50,000 users of the Contact Form 7 Style plugin.

In addition, in March, it was discovered that the Plus Addons for Elementor plugin for WordPress contains a critical security vulnerability that attackers can use to take control of a website quickly, easily, and remotely. Researchers said it was being actively attacked in the wild after it was first reported as a zero-day bug.

You may also like:

The Most Effective Ways to Increase Lead Generation in WordPress

Multiple Flaws In A WordPress Plugin Pose Websites RCE Risks