• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

WPTF Hybrid Composer – Unauthenticated Arbitrary Options Update

July 11, 2019John Castro

0
SHARES
FacebookTwitterSubscribe

With almost 300 installs, WPTF – Hybrid Composer is a framework that helps users easily create custom themes for WordPress. We recently noticed an increase in suspicious requests, revealing an attack against this plugin.

Easily automated vulnerabilities are the first choice for bad actors. The following snippet provides a good example why attackers would target it:

function hc_ajax_save_option() {
    echo update_option($_POST['option_name'], $_POST['content']);
    die();
}

add_action('wp_ajax_nopriv_hc_ajax_save_option', 'hc_ajax_save_option');

The function “hc_ajax_save_option” uses the WordPress update_option(), along with two parameters that come directly from user input. Because the developers define “hc_ajax_save_option” as a non-private hook action, unauthenticated bad actors can obtain full access.

For those who doesn’t know, WordPress’ update_option() function is used to update any option in the options database table. Using this function, an attacker can gain admin access or inject arbitrary data into any site using vulnerable versions of this framework, 1.4.6 and lower.

The developer is aware of this vulnerability. This vulnerability was patched in a recent update, and we strongly encourage users to update their plugin if they haven’t already.

0
SHARES
FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Labs Note, update_option, Vulnerability, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.