Recently, the jetpack team found infected files at one of the managed customer sites and quickly tracked the source of infection with the theme of amertotech’s workflow. We started our investigation and found several vulnerable Ajax endpoints in the topic. The most serious one is the unauthenticated upload vulnerability, which may lead to potential remote code execution and theft of the entire site. The envato helpful hacker program reported the vulnerability to the amertotech team, and the problem was immediately resolved. The subject version 2.2.2, which fixes the vulnerability, was released on June 29, 2021. The
TL; Due to the severity of Dr vulnerability, all users in the workflow topic strongly recommend upgrading to version 2.2.2 or higher as soon as possible. the upgrade from the theme website, install it manually or upgrade it automatically through the envato market plug-in. Detailed topic name: workflow topic URI: http:\/\/amentotech.com\/projects\/wpworkreap Author: amentotek author URI: https:\/\/themeforest.net\/user\/amentotech\/portfolio The severity of the vulnerability will delay the release of the proof of concept and complete analysis to give users time to upgrade. The
Versions affected by unauthenticated uploads of remote code execution: male [email Protected] male ‘ https:\/\/example.com\/wp-admin\/admin-ajax.php ‘
{\
%Curl ‘ https:\/\/example.com\/wp-content\/uploads\/workreap-temp\/malicious.php ‘
Pwned!
Versions affected by multiple csrf+idor weaknesses: Male
Male
Male
Male
Male
Male
Versions affected by the lack of permission confirmation in Ajax operations: multiple Ajax operations available in the androg workreat topic lack permission checks to determine whether the user has permission to perform important operations, such as modifying or deleting objects. This allows the logged in user to modify or delete objects belonging to other users of the site. In versions prior to 2.0.0, these operations lacked authentication at all, and site visitors could use them maliciously. Conceptual evidence \log in as any freelancer
Curl -c Cookies -f action=workflow\u ajax\u login -f username=ball -f password=hunter2\
https:\/\/example.com\/wp-admin\/admin-ajax.php
{\
#Delete arbitrary portfolio
Curl -s -b Cookies -f action=workflow\u portfolio\u remove -f id=1361\
https:\/\/example.com\/wp-a
Dmin\/admin-ajax PHP
{\
Timeline 2021 to 06-24: the initial upload vulnerability discovered by the jetpack scan team has been reported to the envato helpful hacker program. 2021 to 06-25: additional documented vulnerabilities were found, and amentotech notified them through envato. 2021-06-27: version 2.2.1 has been released, and some vulnerabilities have been solved. 2021 to 06-29: version 2.2.2 has been released, and the jetpack scan team has confirmed the modification. The
It is recommended to check the current version of the workflow theme that the conclusion site is using and update it as soon as possible before 2.2.2! Jetpack is committed to protecting websites from such vulnerabilities. To get ahead of new threats, check the jetpack scan, which includes security scanning and automatic malware removal. Original researcher of credit: thank the other team members of jetpack scan team for helping and modifying Harald elertsen’s feedback. In addition, we would like to thank kailoon, who helped to contact the envato helpful hacker program of amertotech, and amertotech, who provided rapid response for problem solving and release of updated versions.
