TablePress is a popular WordPress plugin used to create and manage responsive tables easily without any coding. With more than 800,000 active installations, it plays a crucial role for numerous site owners and content creators who wish to display data on their websites in a tabular format. However, a recent vulnerability discovery (CVE-2024-23825) has highlighted a potential security risk associated with this otherwise useful plugin. In this post, we will delve into the details of this vulnerability, including a code snippet, links to original references, and information on how to safeguard your website against potential attacks.
Vulnerability Overview
The vulnerability in question revolves around the import feature of TablePress. When importing a table, the plugin makes external HTTP requests based on a URL provided by the user. Unfortunately, user input is insufficiently filtered, allowing attackers to potentially send requests to unintended network locations and receive responses.
In a cloud environment like AWS, an attacker armed with this knowledge could make GET requests to an instance's metadata REST API, thus potentially exposing internal data, including sensitive credentials, if the instance's configuration is insecure. Thankfully, this vulnerability has been fixed in TablePress version 2.2.5.
Exploit Details
The original exploit details, along with the proof of concept (PoC), can be found in this GitHub Gist: CVE-2024-23825 PoC
The crux of this vulnerability lies in the 'import_from_url()' function found in the TablePress plugin's 'class-loader.php' file. The code snippet below demonstrates the problematic section of this function:
public function import_from_url( $url ) {
if ( false === strpos( $url, '://' ) ) {
return false;
}
$response = wp_remote_get( wp_http_validate_url( $url ) );
if ( is_wp_error( $response ) || 200 !== (int) wp_remote_retrieve_response_code( $response ) ) {
return false;
}
return wp_remote_retrieve_body( $response );
}
First, the code checks whether a URL protocol is included in the submitted URL. If it passes this check, the plugin then sends an HTTP request to the specified URL using wp_remote_get(), which sends the response to wp_http_validate_url() for validation.
The primary issue here is the use of 'wp_http_validate_url()' to validate the URL. This function does not sufficiently filter user input, opening the door for attackers to craft malicious URLs that bypass its validation.
For instance, an attacker could create a URL that redirects the requests to an SSRF vulnerability, such as:
http://evil.com/redirect?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/
In the example above, the attacker would replace 'evil.com' with their domain, and the 'redirect' would point the request to an Amazon AWS instance metadata URL, potentially allowing them to access sensitive data.
Mitigation and Conclusion
To protect your WordPress installations, it is highly recommended that you update your TablePress plugin to version 2.2.5 or later, which addresses and fixes this vulnerability.
Furthermore, website administrators should always follow best practices for securing their cloud environments by implementing proper access controls and configurations to reduce the risk associated with such vulnerabilities.
What is particularly concerning about this security risk is that TablePress has a vast user base and the plugin has never been audited for security vulnerabilities in the past. This serves as a vital reminder to always take necessary precautions when using third-party plugins and tools, as even seemingly innocuous functionality can lead to security issues.
By keeping your software updated and following best practices for securing cloud environments, you can minimize your exposure to similar vulnerabilities in the future.
Timeline
Published on: 01/30/2024 17:15:11 UTC
Last modified on: 02/05/2024 18:46:02 UTC