CVE-2022-41135 Explained: Unauthenticated Plugin Settings Change Vulnerability in Modula Plugin <= 2.6.9 on WordPress
In the world of WordPress, where plugins can make your job of running a website easier and more enjoyable, the security of these plugins is essential. A recent vulnerability was found in the Modula plugin, a popular photo and video gallery plugin used by more than 60,000 users. Identified as CVE-2022-41135, this vulnerability allows an unauthenticated user to change the settings of the plugin, potentially leading to unauthorized access or even the complete compromise of a website.
In this long-read post, we will delve deep into the details and consequences of this vulnerability, as well as provide the necessary links and code snippets to help you understand the issue better.
The Vulnerability
The Modula plugin, versions up to and including 2.6.9, suffers from an unauthenticated plugin settings change vulnerability. This issue arises due to the lack of proper access and permission check when any action is performed by the plugin, enabling anyone to modify the plugin's settings without authorization.
Specifically, the vulnerability exists in the Modula REST API endpoint (POST /wp-json/modula/v1/update-settings). The modula_api_process function in the includes/class-modula-rest-api.php file processes the request without authenticating the user. Here's a code snippet that demonstrates the issue:
public function modula_api_process( $request ) {
if( ! isset( $request['setting'] ) || ! isset( $request['value'] ) ){
return false;
}
update_option( $request['setting'], $request['value'] );
}
Exploitation Details
To exploit this vulnerability, an attacker can send a malicious request to modify the plugin's settings. In other words, the attacker can change sensitive information that dictates how the plugin works on a WordPress site, potentially giving them unauthorized access to all your images and videos displayed by the plugin.
For example, an attacker could set the Modula plugin to load malicious JavaScript, thus leveraging your website as a platform to attack your users. Here's a practical example of such an exploit:
POST /wp-json/modula/v1/update-settings HTTP/1.1
Host: vulnerable-wp-site.com
{
"setting": "modula_custom_js",
"value": "<script>alert('This site is vulnerable!')</script>"
}
After executing the exploit, the alert box will be triggered on the next page load, demonstrating the successful injection of malicious JavaScript into the site.
References and Patch
Upon discovering this vulnerability, the researcher responsibly reported it to the plugin's developers, who quickly acknowledged the issue and released a fix in version 2.7.. The patch ensures the proper permissions check by using current_user_can('edit_posts'), which restricts the update to logged-in users who can edit posts. Here's the patched code snippet:
public function modula_api_process( $request ) {
if( ! isset( $request['setting'] ) || ! isset( $request['value'] ) ){
return false;
}
if( ! current_user_can( 'edit_posts' ) ){ // Check if the user has appropriate permissions.
return false;
}
update_option( $request['setting'], $request['value'] );
}
To protect your WordPress site from this vulnerability, it is crucial to update the Modula plugin to version 2.7. or later as soon as possible. You can download the updated version from the official WordPress plugin repository here: https://wordpress.org/plugins/modula-best-grid-gallery/
Conclusion
Unauthenticated plugin settings change vulnerability in the Modula plugin, identified as CVE-2022-41135, can potentially put your WordPress site and users at risk. We hope this article has provided the necessary background, examples, and information to understand the threat better. To ensure the security of your site, always keep your plugins updated, routinely review access and permissions, and stay informed about the latest security patches and updates.
Timeline
Published on: 11/18/2022 23:15:00 UTC
Last modified on: 11/23/2022 19:37:00 UTC