Title: WordPress Privileges Unchecked in admin.php and Multiple Information Disclosures
Advisory ID: CORE-2009-0515
Advisory URL: http://www.coresecurity.com/content/WordPress-Privileges-Unchecked
Date published: 2009-07-08
Date of last update: 2009-07-08
Vendors contacted: WordPress
Release mode: Coordinated release
Class: Local file include, Privileges unchecked, Cross site scripting (XSS), Information disclosure
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 35581, 35584
CVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336
WordPress is a web application written in PHP that allows the easy installation of a flexible weblog on any
computer connected to the Internet. WordPress 2.7 reached more than 6 million downloads during June 2009
A vulnerability was found in the way that WordPress handles some URL requests.
This results in unprivileged users viewing the content of plugins configuration pages, and also in some plugins
a malicious attacker if the blog administrator runs injected JavasScript code that edits blog PHP code.
Many WordPress-powered blogs, hosted outside
wordpress.com, allow any person to
create unprivileged users called subscribers.
Other sensitive username information disclosures were found in WordPress.
- WordPress 2.8 and previous
- WordPress MU 2.7.1 and previous, used in WordPress.com
- WordPress 2.8.1
- WordPress MU 2.8.1, used in WordPress.com
Vendor Information, Solutions and Workarounds
Mitigation for the Privileges Unchecked vulnerability (suggested by Core Security):
this vulnerability may be mitigated by controlling access to files
wp-admin folder. Access can be prohibited by using Apache access control
.htaccess file), see guideline for more information
These vulnerabilities were discovered and researched by Fernando Arnaboldi
from Core Security Technologies. Further research was made by Jose Orlicki.
from Core Security Technologies.
Technical Description / Proof of Concept Code
In the last few years several security bugs were found in WordPress
During 2008, the big amount of bugs reported by researchers lead to exploitation by blog spammers
. During 2009, a new round
of attacks has appeared and security researchers are reporting new bugs or wrongly fixed previously-reported bugs
A path traversal in local files included by
admin.php has been fixed
but, in our case, we report that administrative privileges are still
unchecked when accessing any PHP file inside a plugin folder.
Access Control Roles
WordPress has a privilege model where any user has an assigned role
Regarding plugins only users characterized
by the role Administrator can activate plugins. Notice that only the blog hosting owner can add new plugins because these must by copied inside the host
filesystem. The roles Editor, Author or Subscriber (the latter has the least privileges) cannot
activate plugins, edit plugins, update plugins nor delete plugins installed by an Administrator.
Besides that, the configuration of specific plugins is a grey area because there is no distinguished capability assigned
Also due to cross-site scripting
vulnerabilities inside plugins options (something very common), non-administrative
Possibly arbitrary native code can be executed by the attacker if the blog administrator runs injected JavasScript code that injects PHP code.
It is important to observe that many WordPress-powered blogs are configured to allow any blog visitor to
create a Subscriber user without confirmation from the Administrator role inside the following URL,
although by default the Administrator role must create these new users.
This can be modified by the administrator in
Membership/Anyone can register.
Privileges Unchecked in admin.php?page= Plugin Local File Includes (CVE-2009-2334, BID 35581)
No privileges are checked on WordPress plugins configuration PHP modules using
page when we replace
admin.php. The same thing happens when replacing other modules such as
Basic information disclosure is done this way. For example, with the following URL a user with no privileges
can see the configuration of plugin Collapsing Archives, if installed.
Instead of the following allowed URL.
Another example of this information disclosure is shown on Akismet, a plugin shipped by default with WordPress.
All plugins we have tested are vulnerable to this kind of information disclosure, but in many of them the PHP files accessed just crashed.
On the other hand, for example, with capability
import, privileges are checked inside
if ( ! current_user_can('import') ) wp_die(__('You are not allowed to import.'));
More dangerous scenarios exist, all of them can be exploited by users with the Subscriber role, the least privileged.
Abuse example: XSS in plugin configuration module
If installed, Related Ways To Take Action is an example of a WordPress plugin that is affected by
many cross-site scripting vulnerabilities (XSS)
Possibly, arbitrary native code can be executed by the attacker if the blog administrator, when he/she logs in,
runs injected JavasScript code that edits blog PHP code.
The original URL for reconfiguring the plugin
can be accessed only by the Administrator role.
But replacing the PHP file with the generic
admin.php any blog user can modify this
to exemplify this kind of abuse. When the administrator enters the same
page the injected browser code will be executed and possibly blog PHP can be modified to run arbitrary native code.
This is the worst scenario that we found for the vulnerability.
Abuse example: viewing WP Security Scanner Plugin Dashboard
If installed, the WordPress Security Scanner Plugin dashboard can be
viewed similarly by any user besides the administrator using the plugin configuration page URL without modification.
This dashboard includes common default blog configuration settings that are insecure and should be modified by the blog administrator or hosting.
Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project
If installed, the Intrusion Detection System Plugin (WPIDS)
 can be reconfigured
accessed with the same vulnerability.
This gives an attacker the possibility to disable many features of the plugin, for example reactivate the forgotten password
feature and reactivate the XML-RPC blog interface. Also you can deny the weblog service by configuring
this plugin to be overly sensitive, blocking any request.
However the plugin cannot be totally disabled because the essential IDS parameters
Maximum impact to ignore bad requests
Minimum impact to sanitize bad requests
are verified on the server side of the blog and cannot be distorted to deactivate the sanitizing or
blocking features of the web IDS plugin.
Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID 35584)
WordPress discriminates bad password from bad user logins, this reduces the complexity of a brute force attack on
WordPress blogs login (CVE-2009-2335, BID 35584).
The same user information disclosure happens when users use the
forgotten mail interface to request a new password (CVE-2009-2336, same BID 35584).
These information disclosures seem to be previously reported
but the WordPress team is refusing to modify them alleging
Default installation of WordPress 2.7.1 leaks the name of the user posting entries inside the HTML of the blog.
<small>June 3rd, 2009 <!-- by leakedusername --></small>
Also several administrative modules give to anyone the complete path where the web application is hosted
inside the server. This may simplify or enable other malicious attacks. An example follows.
Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in [WP_LEAKED_PATH]\wp-settings.php on line 110 Notice: Use of undefined constant ABSPATH - assumed 'ABSPATH' in [WP_LEAKED_PATH]\wp-settings.php on line 112 Warning: require(ABSPATHwp-includes/compat.php) [function.require]: failed to open stream: No such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246 Fatal error: require() [function.require]: Failed opening required 'ABSPATHwp-includes/compat.php' (include_path='.;[PHP_LEAKED_PATH]\php5\pear') in [WP_LEAKED_PATH]\wp-settings.php on line 246
Core Security Technologies notifies the WordPress team of the vulnerabilities (firstname.lastname@example.org) and offers a technical description encrypted or in plain-text.
Advisory is planned for publication on June 22th.
Core notifies again the WordPress team of the vulnerability.
The WordPress team asks Core for a technical description of the vulnerability in plain-text.
Technical details sent to WordPress team by Core.
WordPress team notifies Core that a fix was produced and is available to Core for testing. WordPress team
asserts that password and username discrimination as well as username leakage are known and will not be fixed
because they are convenient for the users.
Core tells the WordPress team that the patch will be tested by Core as a courtesy as soon as possible.
It also requests confirmation that WordPress versions 2.8 and earlier, and WordPress.com,
are vulnerable to the flaws included in the advisory draft CORE-2009-0515.
WordPress team confirms that WordPress 2.8 and earlier plus WordPress.com are vulnerable to the flaws
included in the advisory draft.
Core informs the WordPress team that the patch is only fixing one of the four proof of concept abuses included in the advisory draft.
Core reminds the WordPress team that the advisory is scheduled to be published on June 22th
but a new schedule can be discussed.
Core asks for a new patched version of WordPress, if available, and notifies the WordPress team
that the publication of the advisory was re-scheduled to June 30th.
WordPress team confirms they have a new patch that has the potential to break a lot of plugins.
WordPress team asks for a delayance on advisory CORE-2009-0515 publication until July 6th, when WordPress MU version will be patched.
Core agrees to delay publication of advisory CORE-2009-0515 until July 6th.
Core tells the WordPress team that other administrative PHP modules can also be rendered by
non-administrative users, such
WordPress team comments that
admin-post.phpare intentionally open and plugins can choose
to hook either privileged or unprivileged actions. They also comment that unprivileged access to
is benign but having this file open is bad form.
Core sends the WordPress team a new draft of the advisory and comments that there is no capability specified in Worpress documentation for configuring
plugins. Also control of actions registered by plugins is not enforced. Core also notices that the privileges unchecked bug in
is fixed on WordPress 2.8.1-beta2 latest development release.
Core requests WordPress confirmation of the release date of WordPress 2.8.1 and WordPress MU 2.8.
WordPress team confirms that a release candidate of WordPress 2.8.1 is made available to users and
that the advisory may be published.
Core requests WordPress confirmation of the release date of WordPress MU and WordPress MU new version numbers.
WordPress team release WordPress 2.8.1 RC1 to its users.
WordPress team confirms that WordPress MU 2.8.1 will be made available as soon WordPress 2.8.1 is officially released. Probably
July 8th or 9th.
The advisory CORE-2009-0515 is published.
 WordPress vulnerabilities in CVE database
SecuriTeam List of WordPress Vulnerabilities
WordPress Vulnerability - YBO Interactive Blog
bablooO/blyat attacks on WP 2.7.0 and 2.7.1
Security breach - xkcd blog
securityvulns.com WordPress vulnerabilities digest in English
WordPress Roles and Capabilities
 WordPress Download Counter
WordPress Intrusion Detection System Plugin
Hardening WordPress with htaccess
CoreLabs, the research center of Core Security Technologies, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious
organizations worldwide develop and maintain a proactive process for
securing their networks. The company's flagship product, CORE IMPACT, is
the most comprehensive product for performing enterprise security
assurance testing. CORE IMPACT evaluates network, endpoint and end-user
vulnerabilities and identifies what resources are exposed. It enables
organizations to determine if current security investments are detecting
and preventing attacks. Core Security Technologies augments its leading technology solution
with world-class security consulting services, including penetration
testing and software security auditing. Based in Boston, MA and Buenos
Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web
The contents of this advisory are copyright (c) 2009 Core Security Technologies and
(c) 2009 CoreLabs, and may be distributed freely provided
that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories
team, which is available for download at