CVE Hunting Setup: Wordpress Plugins
In this blog post, I explain how to set up an environment for CVE hunting in WordPress plugins.
Credit
Before diving into the specifics, the following resources were used to set up the environment.
Setup
Install MySQL Server to store vulnerable code snippets, plugin names, download counts, and vulnerability types:
1
2
3
4
5
6
7
8
# Install & configure MySQL:
sudo apt install mysql-server
sudo mysql_secure_installation
# Change root password:
sudo mysql
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '<password>';
FLUSH PRIVILEGES;
Next, the GitHub repository referenced above will be used to download WordPress Plugins and audit them for potentially vulnerable code snippets.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# Clone the GitHub repo
git clone https://github.com/prjblk/wordpress-audit-automation
# Set configuration file
cd wordpress-audit-automation
cp config.ini.sample config.ini
# Download python requirements
sudo apt install python3-pip
pip3 install -r requirements.txt --break-system-packages
# Authenticate to semgrep
semgrep login
# Run the script
python3 wordpress-plugin-audit.py --download --audit --create-schema
This can take up to 20 hours to finish!
Install Wordpress
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Create directory
mkdir my-wp-site
cd my-wp-site
# Install Wordpress
ddev config --project-type=wordpress
ddev start
ddev wp core download
ddev wp core install \
--url="https://my-wp-site.ddev.site" \
--title="My WP Site" \
--admin_user="admin" \
--admin_password="admin" \
--admin_email="admin@example.com"
Start Hunting
When the script finishes executing, we can browse the MySQL database. The following query can be used to filter results:
1
2
3
4
5
USE SemgrepResults;
SELECT PluginResults.slug,PluginData.active_installs,PluginResults.file_path,PluginResults.start_line,PluginResults.vuln_lines
FROM PluginResults INNER JOIN PluginData ON PluginResults.slug = PluginData.slug
WHERE check_id = "php.lang.security.injection.tainted-sql-string.tainted-sql-string"
ORDER BY active_installs DESC
Modify check_id to find other vulnerability types:
1
2
3
4
5
6
# SQLi
php.lang.security.injection.tainted-sql-string.tainted-sql-string
# XSS
php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag
php.lang.security.injection.echoed-request.echoed-request
Once a potentially vulnerable plugin has been identified, install it using the following command:
1
ddev wp plugin install <plugin> --activate-network
Run this command from the Wordpress installation directory.
Reporting the Vulnerability
Vulnerabilities can be reported to WPScan. As a CVE Numbering Authority (CNA), WPScan is authorized to assign CVE’s for submitted vulnerabilities.
When submitting a report, make sure that a clear description of the issue is provided along with detailed steps to reproduce the vulnerability.