Wordfence disclosed this week multiple vulnerabilities patched in the popular Responsive Menu WordPress plugin that exposed more than 100,000 sites to takeover attacks. The three vulnerabilities revealed grant attackers the ability to achieve remote code execution through arbitrary file uploads and to change settings. These flaws have been fully patched in version 4.0.4 so if you are using this plugin it’s highly recommend to update, if auto-update feature is not enabled for this plugin.
Responsive Menu is a highly customisable Responsive Menu Plugin for WordPress. With over 150 customisable options you get a combination of 22,500 options! No coding experience or knowledge is needed with an easy to use interface you can get it looking exactly as you want with minimal fuss.
The flaws have been discovered on December 17, 2020 by Wordfence Threat Intelligence team, The first flaw made it possible for authenticated attackers with low-level permissions to upload arbitrary files and ultimately achieve remote code execution. The remaining two flaws made it possible for attackers to forge requests that would modify the settings of the plugin and again upload arbitrary files that could lead to remote code execution.
All three vulnerabilities could lead to a site takeover, which could have consequences including backdoors, spam injections, malicious redirects, and other malicious activities.
Critical Security risk in Responsive Menu plugin
As part of the plugin’s functionality, site owners have the option to import themes from zip files that can either by custom creations or downloaded from the Responsive Menu site. In order to provide this functionality, the plugin registered an admin_post action,
admin_post_rmp_upload_theme_file, tied to the function
there were no capability checks on this function, and due to the fact that it used admin_post, any user logged into a vulnerable WordPress site could execute this action to trigger the file upload and zip extraction. This included subscribers and other low level users, making sites with open registration particularly vulnerable. The
admin_post action does not check to see whether a user is an administrator, but rather if the user is sending a request to the administrative page
/wp-admin/admin-post.php while authenticated.
This feature allow any subscriber to upload zip archives containing malicious PHP files that would get extracted to the
/rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site.
The flaws have been detailed by Wordfence in a blog post, and if you are using the Responsive Menu plugin it’s highly recommend to 4.0.4.