Security Advisory – Vulnerabilities in Pagelines/Platform theme for WordPress

Advisory for: Pagelines and Platform Themes
Security Risk: Very High
Exploitation level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation / Remote Code Execution
Patched Version: Pagelines: WP Repo 1.4.6, Pagelines Server 2.4.6 PlatformPro: 1.6.2

Users of both the Pagelines and Platform themes should update as soon as possible. During a routine audit for our WAF, we found two dangerous issues: A Privilege Escalation vulnerability affecting both themes and a Remote Code Execution issue for Platform.

What are the risks?

Any website using a vulnerable version of the Platform theme (<1.4.4) is at risk of a total site takeover.

An attacker can execute PHP code to infect your website with malware, SEO spam and other nefarious acts. For those using a vulnerable version of the Pagelines theme (<1.4.6), an attacker needs to be able to register an account on the victim’s website in order to successfully exploit the Privilege Escalation vulnerability. As for the first vulnerability, a successful exploitation could allow an attacker to do pretty much anything he wants with his victim’s website (by using, for example, WordPress theme file editor).

Technical details

1 – Privilege escalation on Pagelines and Platform
Both themes used a WordPress ajax hook to modify a few set of options.

Sucuri-Pageline-Platforms-Ajax

Because all wp_ajax_ hooks are usable by any logged-in users (no matter what privileges they have on the target site), a subscribed user could use this hook to overwrite any options located on WordPress options database table. For instance, this would allow them to overwrite the ‘default_role’ option with a value like ‘administrator’, which would grant every new users on the site with an administrator account!

2 – Remote Code Execution on Platform
The theme used a somewhat unconventionnal way to import theme settings backups.

Sucuri-Pageline-Platforms-RCE

 

As you can see from the above snippet, the theme inserts the backup file into the theme’s execution context using a call to the include() PHP function. As this may not necessarily be a vulnerabiltity by itself (we don’t know yet if we can actually trigger this piece of code as an unauthenticated user), we decided to backtrace the issue, finding that the function using this code was called from another function called pagelines_register_settings().

Sucuri-Pageline-Platforms-AdminInit

Which was itself hooked to the admin_init hook, which is known to be executed when a guest visitor visits either /wp-admin/admin-post.php or /wp-admin/admin-ajax.php, thus allowing anybody to used the aforementioned snippet of code and gain full privilege on the website.

Update as soon as possible!

Again, if you’re using a vulnerable version of any of these two themes, update as soon as possible! In the event where you could not do this, we strongly recommend you having a look at our Website Firewall to get it patched virtually.

 

AdSense Abused with Malvertising Campaign

Blocked adwynne banners

Last weekend we noticed a large number of requests to scan websites for malware because they randomly redirected to some “magazine” websites. Most of them mentioned the lemode-mgz .com site. In all cases, the symptoms were the same. Some users ran
Read More

vBSEO’s Vulnerability Leads to Remote Code Execution

Suucri-vBSEO-II

We were notified last week that the vBulletin team sent an email to all their clients about a potential security vulnerability in vBSEO. After further investigation, we confirm that this is a very critical issue as it could allow an attacker to
Read More

Serious Vulnerability in VBSEO

The vBulletin team sent an email yesterday to all their clients about a potential security vulnerability on VBSEO. VBSEO is widely used SEO module for vBulletin that was discontinued last year. This makes the problem worse, no patches will be
Read More

Websites Compromised with CloudFrond Injection

Sucuri - CloudFrond Jumpled Payload

If you haven't already noticed, we spent a good deal of time scraping the bottom of the interweb barrel. It's dirty work, but someone has to do it. I'm not going to lie though, to us it's fascinating digging up little nuggets daily, understanding how
Read More

Website Backdoors Leverage the Pastebin Service

Decoded backdoor that uses pastebin

We continue our series of posts about hacker attacks that exploit a vulnerability in older versions of the popular RevSlider plugin. In this post we’ll show you a different backdoor variant that abuses the legitimate Pastebin.com service for hosting m
Read More

2014 Website Defacements

Deface-Website-Morrocan-Hackers

Defacements are the most visual and obvious hack that a website can suffer from. They also come parcelled with their own exquisite sense of dread. Nothing gives that gut-wrenching feeling of "I've been hacked" more than seeing this: Most
Read More

WP Symposium – Zero Day Vulnerability Dangers

wp-symposiumscans

Our friends at SpiderLabs released a blog post today talking about the latest WP Symposium file upload vulnerability, and the attacks they have been seeing in the wild. This specific vulnerability was disclosed publicly Dec 11th, and attacks
Read More

Analyzing The WordPress SoakSoak Favicon Backdoor

The securi-fix.php code

This post is a dissection of one of a few backdoor variations hackers are uploading via the RevSlider security hole. We also provide webmasters a complete mitigation plan. In the previous post we described how hackers upload a ZIP file which
Read More

New Malware Campaign – WPcache-Blogger – Affects Thousands more WordPress Websites via RevSlider

If SoakSoak wasn't enough, we are starting to see a new malware campaign leveraging the RevSlider vulnerability and compromising thousands of WordPress sites in the last few days. Unlike SoakSoak, it's comprised of 3 distinct malframes - creating
Read More