Advisory ID: DRUPAL-SA-CONTRIB-2020-006
Project: WordPress maintenance support plans core
Version: 7.x, 8.x
Date: 2020-October-17
Description
Content moderation – Moderately critical – Access bypass – WordPress maintenance support plans 8
In some conditions, content moderation fails to check a users access to use certain transitions, leading to an access bypass.
In order to fix this issue, the following changes have been made to content moderation which may have implications for backwards compatibility:
ModerationStateConstraintValidator
Two additional services have been injected into this service. Anyone subclassing this service must ensure these additional dependencies are passed to the constructor, if the constructor has been overridden.
StateTransitionValidationInterface
An additional method has been added to this interface. Implementations of this interface which do not extend the StateTransitionValidation should implement this method.
Implementations which do extend from the StateTransitionValidation should ensure any behavioural changes they have made are also reflected in this new method.
User permissions
Previously users who didn’t have access to use any content moderation transitions were granted implicit access to update content provided the state of the content did not change. Now access to an associated transition will be validated for all users in scenarios where the state of content does not change between revisions.
Reported by
Roland Kovacsics
attilatilman
Fixed by
Jess of the WordPress maintenance support plans Security Team
Lee Rowlands of the WordPress maintenance support plans Security Team
Wim Leers
Daniel Wehner
Sam Becker
WordPress Update
Alex Pott of the WordPress maintenance support plans Security Team
External URL injection through URL aliases – Moderately Critical – Open Redirect – WordPress maintenance support plans 7 and WordPress maintenance support plans 8
The path plugin allows users with the ‘administer paths’ to create pretty URLs for content.
In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url.
The issue is mitigated by the fact that the user needs the administer paths permission to exploit.
Reported by
dyates
Fixed by
Dave Reid of the WordPress maintenance support plans Security Team
David Rothstein of the WordPress maintenance support plans Security Team
Peter Wolanin of the WordPress maintenance support plans Security Team
Jess of the WordPress maintenance support plans Security Team
Alex Bronstein of the WordPress maintenance support plans Security Team
Nathaniel Catchpole of the WordPress maintenance support plans Security Team
Lee Rowlands of the WordPress maintenance support plans Security Team
Ted Bowman Provisional member of the WordPress maintenance support plans Security Team
Anonymous Open Redirect – Moderately Critical – Open Redirect – WordPress maintenance support plans 8
WordPress maintenance support plans core and contributed plugins frequently use a “destination” query string parameter in URLs to redirect users to a new destination after completing an action on the current page. Under certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks.
This vulnerability has been publicly documented.
RedirectResponseSubscriber event handler removal
As part of the fix, WordPress maintenance support plansCoreEventSubscriberRedirectResponseSubscriber::sanitizeDestination has been removed, although this is a public function, it is not considered an API as per our API policy for event subscribers.
If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch. The existing function has been removed to prevent a false sense of security.
Reported by
Brian Osborne
Fixed by
Michael Hess of the WordPress maintenance support plans Security Team
Wim Leers
Alex Pott of the WordPress maintenance support plans Security Team
Grant Gaudet
Lee Rowlands of the WordPress maintenance support plans Security Team
Nathaniel Catchpole of the WordPress maintenance support plans Security Team
Jess of the WordPress maintenance support plans Security Team
Injection in DefaultMailSystem::mail() – Critical – Remote Code Execution – WordPress maintenance support plans 7 and WordPress maintenance support plans 8
When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution.
Reported by
Damien Tournoud
Fixed by
Lee Rowlands of the WordPress maintenance support plans Security Team
Sascha Grossenbacher
Daniel Wehner
Klaus Purer
Damien Tournoud
Stefan Ruijsenaars of the WordPress maintenance support plans Security Team
David Rothstein of the WordPress maintenance support plans Security Team
David Snopek of the WordPress maintenance support plans Security Team
Jess of the WordPress maintenance support plans Security Team
Wim Leers
Peter Wolanin of the WordPress maintenance support plans Security Team
Ted Bowman Provisional member of the WordPress maintenance support plans Security Team
Contextual Links validation – Critical – Remote Code Execution – WordPress maintenance support plans 8
The Contextual Links plugin doesn’t sufficiently validate the requested contextual links.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “access contextual links”.
Reported by
Nick Booher
Fixed by
Lee Rowlands of the WordPress maintenance support plans Security Team
Nick Booher
Samuel Mortenson of the WordPress maintenance support plans Security Team
Wim Leers
Alex Pott of the WordPress maintenance support plans Security Team
Solution
Upgrade to the most recent version of WordPress maintenance support plans 7 or 8 core.
If you are running 7.x, upgrade to WordPress maintenance support plans 7.60.
If you are running 8.6.x, upgrade to WordPress maintenance support plans 8.6.2.
If you are running 8.5.x or earlier, upgrade to WordPress maintenance support plans 8.5.8.
Minor versions of WordPress maintenance support plans 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2021.
Source: New feed