Why does this vulnerability exist? CVE-WPForms)

In the last few days, I noticed that the CVE-2024-11205 (CVSS 8.5) vulnerability in the Wordpress WPForms plugin attracted a lot of attention. Mainly for 3 reasons:

• WPForms is a widely used plugin, with over 6 million active installations (sites using it)
• It is a high criticality vulnerability
• It's bizarrely simple to understand

The original Wordfence post already did a great job explaining the vulnerability and its consequences. Therefore, my objective here is different: to theorize how such a bizarrely simple vulnerability remained open for more than a year in one of the most used Wordpress plugins.

Vulnerability

Recalling the information from the original post. The plugin uses the ajax_single_payment_refund() and ajax_single_payment_cancel() functions to handle Stripe payment actions. However, there is no validation whether the logged in user has permission to perform such actions ⚰️. To top it off, the features were “protected” by the wpforms_is_admin_ajax method, which simply does not check whether the user is an admin, as some might think.

Fix

Starting with vulnerability mitigation, the official fix is ​​to update to version 1.9.2.2. In this version of the code, authorization validation was added to the two functionalities, ajax_single_payment_refund and ajax_single_payment_cancel. However, wpforms_is_admin_ajax was kept as is?.

When did the vulnerability arise?

First vulnerable version is WPForms 1.8.4 released on November 28, 2023. The version introduced “New Stripe Payment Tools”, including, among other things “Synchronized Stripe Dashboard” and “Logic for Recurring Payments”.

As changes, the update brought the addition of 15 new files, the deletion of 64 files and the editing of 425 files. Sounds like a great release for someone to manually review ☠️.

Why does the vulnerability exist?

Can automated security tools detect?

To answer this question, I tested SAST Semgrep (which I really like to use) and Gepeto (aka ChatGPT).

Semgrep

I ran a semgrep . in the entire project and he was unable to detect the vulnerability?.

The result is as expected. Officially, authorization failure vulnerabilities are considered business logic vulnerabilities. Which means they are hardly detected by automated tools.

The Common Weakness Enumeration CWE-862 Missing Authorization seems to agree.

Geppetto

I asked ChatGPT if he could identify any problems in the past code. I only sent him the ajax_single_payment_refund and wpforms_is_admin_ajax methods (because I don't want to use up my free ChatGPT for the day?).

And incredibly, he managed to identify the vulnerability and point out the solution (which was very similar to the real fix?), among other “possible vulnerabilities” in this code, such as No Rate Limiting or Logging.

“ahh, but you ran SAST on the entire project, while directing the AI” is life really like that? ?‍♂️

Why does the vulnerability exist?

As seen, traditional security tools can hardly detect authorization vulnerabilities.

According to CWE-862 Missing Authorization, this vulnerability can be detected using manual analysis, such as code review, pentest and threat modeling. And the effectiveness is considered “Moderate” only?.

Other materials that talk about authorization vulnerabilities reinforce that this is a class of vulnerabilities that is complicated to deal with and common in the real world, such as OWASP Top 10 API Security 2019 and 2023 which has authorization vulnerabilities as the first and third position.

Another point is that the method previously used as validation (wpforms_is_admin_ajax) has a very bad name, designed to confuse developers and code reviewers, as this function does not check whether the logged in user is admin.

So, my theory is that this vulnerability exists because 1) without manual analysis, it is almost impossible to detect; 2) the wpforms_is_admin_ajax method would confuse many reviewers analyzing the code.

I hope to bring other analyzes like this in the future. If you liked it, share the post with auntie and grandma. Doubts? I'm always on Bluesky, Threads and Twitter.

The above is the detailed content of Why does this vulnerability exist? CVE-WPForms). For more information, please follow other related articles on the PHP Chinese website!