CVE-2022-2597 The Visual Portfolio, Photo Gallery & Post Grid plugin before 2.19.0 had some security issues, allowing users with a low role to inject arbitrary CSS.

This is possible because the plugin does not have an ACL on its endpoints. An attacker can send requests to the affected REST APIs as high as they want, as long as they are a member of the contributor role.

NOTE: Earlier versions of this plugin are also affected, but due to a different vulnerability, we are only focused on the latest version. The WordPress REST API is a very powerful tool that allows plugin developers to extend their plugin functionality by making use of data from the WordPress core.

Summary of the Vulnerability

A vulnerability in a plugin that lets attackers send requests to REST APIs for any user in the contributor role without permission.

Update WordPress to v4.9.3 or Higher

It is highly recommended that you update to WordPress 4.9.3 or higher to provide protection against this vulnerability. Instructions on updating are available here: https://wordpress.org/news/2018/06/wordpress-4-9-3-is-available/.

What happens if the plugin author doesn't upgrade?
A user could exploit this vulnerability by creating a malicious REST API request, which would cause the plugin to load content from their web server instead of the official WordPress website. This would allow attackers to send an unauthorized reply back to the user, causing them to be unaware that they were interacting with a compromised server.

What you should do to protect yourself against REST API hijacking

Use the plugin version number in your URL, like http://example.com/wp-admin/admin.php?page=wipesnap_v1
Restrict access to the REST APIs by using an ACL to restrict who can use them
Keep your versions up-to-date

How Does The REST API Vulnerability Occur?

There is no brute-force protection on the REST API and no cross-site request forgery (CSRF) token. This means that an attacker without any credential can send requests to the REST API as high as they want, as long as they are a member of the contributor role.

What’s an API?

An application programming interface (API) is a set of routines, protocols, and tools for building software applications. APIs are documented sets of requirements to communicate with each other, typically using a common programming language or protocol.

Instead of writing their own code, developers use an API. This allows them to focus on the unique tasks they need their plugin to accomplish without needing to write a lot of code. With APIs, developers can more easily create multiple plugins because they don’t have to re-invent the wheel for every plugin. Additionally, APIs allow developers to reuse code from other plugins in order to create complex functionality that would otherwise be difficult or time-consuming to build from scratch.

Timeline

Published on: 09/05/2022 13:15:00 UTC
Last modified on: 09/09/2022 13:35:00 UTC

References

• https://wpscan.com/vulnerability/3ffcee7c-1e03-448c-8006-a9405658cdb7
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-2597