Introduction
On May 7, 2024, WP-Firewall, a leading security advisory organization, published a detailed report about critical vulnerabilities discovered in the Uncode Core plugin. If you are a Uncode user, it is crucial to update your core plugin to at least version 2.8.9 to protect your WordPress site from potential attacks. This post will delve into the specifics of these vulnerabilities, their implications, and the steps taken to mitigate them.
About the Uncode Core Plugin
The Uncode Core plugin, developed by Undsgn, is an essential component of the Uncode theme—a highly popular premium theme for WooCommerce sites, with over 110,000 sales on ThemeForest. The Uncode theme is renowned for its pixel-perfect design, making it ideal for various websites, including portfolios, agencies, freelances, blogs, and online stores.
The Security Vulnerabilities
WP-Firewall's security researchers identified two significant vulnerabilities in the Uncode Core plugin:
1. Authenticated Arbitrary File and Directory Deletion
Description: This vulnerability allows any authenticated user with at least a Subscriber role to delete arbitrary directories on the server. The issue lies in the `delete_download` function, which lacks proper permission and nonce checks. This function is attached to the `wp_ajax_uncodefont_delete_download` action, making it possible for authenticated users to exploit it.
Technical Details:
function delete_download() {
if (isset($_REQUEST['font_family'])) {
$font_family = $_REQUEST['font_family'];
$font_dir = trailingslashit($this->font_directory).$font_family;
$fontkit_zip = $font_dir.'.zip';
if (@file_exists($fontkit_zip)) {
if (!@unlink($fontkit_zip)) {
echo json_encode(array(
'error' => sprintf( esc_html__( 'Failed to delete @fontface kit zip %1$s.', 'uncode-core' ), $fontkit_zip )
));
die();
}
}
// Cannot delete the directory, because unzip_file, which has created it, uses WP_Filesystem. So we use WP_Filesystem to delete it.
$this->setup_wp_filesystem();
global $wp_filesystem;
if (isset($wp_filesystem)) {
$delete_dir = $wp_filesystem->delete($font_dir, true);
if (!$delete_dir) {
echo json_encode(array('error' => $delete_dir['error']));
die();
}
}
echo json_encode(array('success' => "Download deleted"));
}
die();
}
includes/font-system/font-system.php, function delete_download()
The function constructs the `$font_dir` variable from user input (`$_REQUEST['font_family']`) without sanitization, allowing directory traversal and arbitrary deletion.
2. Authenticated Privilege Escalation
Description: This vulnerability enables any authenticated user with a minimum of Subscriber role to escalate their privileges to any role on the WordPress site. This is due to an insecure WP Option update in the `save_option` function, which lacks proper permission checks.
Technical Details:
public function save_option() {
if ( isset( $_POST['nonce'] ) && wp_verify_nonce( $_POST['nonce'], 'uncode-core-settings-nonce' ) ) {
if ( isset( $_POST['value'] ) && $_POST['value'] && isset( $_POST['option_id'] ) && $_POST['option_id'] ) {
$autoload = isset( $_POST['autoload'] ) && $_POST['autoload'] === 'true' ? true : false;
update_option( $_POST['option_id'], $_POST['value'], $autoload );
---------- CUT HERE ----------
includes/core-settings/class-core-settings.php, function save_option()
The nonce used in this function can be retrieved by any authenticated user with access to the wp-admin area, allowing unauthorized updates to options and privilege escalation.
The Patch
To address these vulnerabilities, the Uncode Core plugin developers released version 2.8.9, which includes the following fixes:
– Authenticated Arbitrary File and Directory Deletion: Implemented permission and nonce checks in the `delete_download` function.
– Authenticated Privilege Escalation: Applied permission and nonce checks in the `save_option` function and added a whitelist check for option keys.
Conclusion
Ensuring the security of your WordPress site involves staying updated with the latest patches and security advisories. The vulnerabilities in the Uncode Core plugin underscore the importance of implementing proper permission and nonce checks for any sensitive actions. Always sanitize user inputs and limit the scope of what can be updated or deleted through user actions.
For more detailed information, you can read the full security advisory on WP-Firewall's website here.
Stay Secure
WP-Firewall offers various solutions for WordPress security, including plugin auditing, vulnerability monitoring and response, and managed WordPress security services. If you are a plugin developer or security researcher, consider joining WP-Firewall.