Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.
The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand.
Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.
Details
- Plugin Name: Software License Manager
- Slug: software-license-manager
- Plugin URI: https://wordpress.org/plugins/software-license-manager/
- Vendor: Tips and Tricks HQ
- Vulnerable versions: <= 4.5.0
- Fixed in version: 4.5.1
- References: CVE-2021-24711, CWE-352, CVSS: 7.6, CWSS: 40.7
The vulnerability is caused by the handler for the ajax action del_reistered_domain (sic) neither performing nonce checks nor authorization of the user performing the action.
add_action( 'wp_ajax_del_reistered_domain', 'slm_del_reg_dom' );
function slm_del_reg_dom() {
global $wpdb;
$reg_table = SLM_TBL_LIC_DOMAIN;
$id = sanitize_text_field( $_GET['id'] );
$ret = $wpdb->query( "DELETE FROM $reg_table WHERE id='$id'" );
echo ( $ret ) ? 'success' : 'failed';
exit( 0 );
}
We always recommend performing nonce checks on any action, and to authorize the user by checking it’s capabilities for all non-public action handlers.
The observant reader may also wonder if there is not a SQL Injection vulnerability here. The $_GET['id'] parameter is expected to be numeric, but this is never validated. However, as WordPress will escape any quotation marks in the request parameters, and the sanitize_text_field function will remove any URL encoded octets, the usage here should be safe from exploitation if not necessarily bug free.
Version 4.5.1 addresses both of these issues.
Recommendations
We encourage any site with versions earlier than 4.5.1 of the Software License Manager plugin for WordPress to update as soon as possible.
We strongly recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.
Timeline
2021-09-01: Vulnerability discovered by the Jetpack Scan Team
2021-09-07: Reported to WPScan, contacted vendor.
2021-09-10: Received and verified fixed version from vendor.
Jetpack 