The WordPress plugin “Theme Editor” is a plugin that allows you to edit theme files, create folders, upload files and remove files in themes and plugins.

Theme editor versions 2.1 and lower are affected by multiple vulnerabilities such as CSRF, insufficient permission checking, arbitrary file upload and the ability to interact with folders/files on the server in most ways you can imagine.

The plugin has over 30,000 active installations as of September 16th, 2019. These vulnerabilities (aside from CSRF) require access to any account, regardless of its role.

Timeline

September 14th, 2019: reached out to plugin author

September 16th, 2019: received response that a fix is being worked on

September 27th, 2019: reached out to ask about the update

September 30th, 2019: new version released that fixes most of the issues

Technical Details

We will not be covering all issues in the plugin in this post such as CSRF but the vulnerabilities described above exist because the WordPress nonce check is not implemented in many methods. Additionally, a lot of methods do not check if the current user has the proper permissions set to execute said action.

The most dangerous vulnerability is the arbitrary file upload vulnerability which exists in the ms_child_theme_editor.php file in the function webphoto_upload which is registered as wp_ajax_webphoto_upload.

A snippet of the code can be found in the image below. Here we can see that in order to exploit this, all we have to do is upload a file against the “webphoto_upload” AJAX action and it will then upload it to the server under /wp-content/themes/images/.

Conclusion

Always keep your plugins updated. If possible, enable automatic updates. If you are using the Theme Editor plugin, you need to update it with the latest version as soon as possible.

Websites with WebARX firewall installed are protected from this security issue. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.