Critical Vulnerability Patched in Popular Convert Plus Plugin

Description: Unauthenticated Administrator Creation
CVSS v3.0 Score: 10.0 (Critical)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Plugin: Convert Plus
Plugin Slug: convertplug
Affected Versions: <= 3.4.2
Patched Version: 3.4.3

On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs. This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts. We disclosed this issue privately to the plugin’s development team, who released a patch just a few days later.

Convert Plus (formerly convertplug) versions up to 3.4.2 are vulnerable to attacks against this flaw. All Convert Plus users should update to version 3.4.3 immediately, as this is a critical security issue. We have released a firewall rule to protect Wordfence Premium users who may not be able to update yet, but we still recommend installing the patch. Free users will receive the new rule after thirty days.

Vulnerability In Detail

Convert Plus is a lead generation plugin used to display marketing popups, info bars, and other elements to a site’s visitors with various calls-to-action like email subscription and coupon codes. When setting up a form for handling new subscribers, administrators can define a WordPress user role to be associated with the email address provided. By default this value is None and no user is created, but the site’s owner can have these forms create new Subscriber accounts, or any other role they’d like. The exception is the Administrator role: the plugin removes it from the list of available roles when generating the dropdown menu.

global $wp_roles;
$roles    = $wp_roles->get_names();
$user_arr = array();
foreach ( $roles as $rkey => $rvalue ) {
	$user_arr [ $rvalue ] = $rvalue;
}
$first_item = array( 'None' );
$new_arr    = $user_arr;
unset( $new_arr['Administrator'] );
$new_arr = $first_item + $new_arr;

However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user. Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user.

// Add subscriber as new user role to site.
$new_role = isset( $_POST['cp_set_user'] ) ? $_POST['cp_set_user'] : 'None';

if ( 'success' === $status && ! $only_conversion ) {

	if ( '1' === $sub_optin || 1 === $sub_optin ) {
		$list_name  = str_replace( 'cp_connects_', '', $data_option );
		$list_name  = str_replace( '_', ' ', $list_name );
		$page_url   = isset( $cp_settings['cp-page-url'] ) ? $cp_settings['cp-email-body'] : '';
		$style_name = isset( $_POST['cp_module_name'] ) ? esc_attr( $_POST['cp_module_name'] ) : '';
		cp_notify_sub_to_admin( $list_name, $param, $sub_email, $email_sub, $email_body, $cp_page_url, $style_name );
	}
	if ( '' !== $new_role && ( 'None' !== $new_role && 'none' !== $new_role ) ) {
		cp_add_new_user_role( $param, $new_role );
	}
}

This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.

Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address. The new account is given a randomized password, but the attacker can issue a typical password reset to gain access to their rogue administrator account.

Video Demonstration

Convert Plus Plugin Vulnerability Exploit Demonstration from Wordfence on Vimeo.

Disclosure Timeline

  • May 24 – Vulnerability discovered. Notified developers privately.
  • May 28 – Patch released by developers. Firewall rule released for Premium users.
  • June 27 – Planned date for firewall rule’s release to Free users.

Well-Handled Response

Vulnerability disclosures are an unfortunate necessity, and it’s important that they’re handled appropriately by all parties involved. In recent disclosures, we’ve seen a variety of responses from the developers we’ve reached out to. For example, in January we received no response at all from a disclosure regarding the Total Donations plugin. More recently was this week’s Slick Popup vulnerability, which had been acknowledged by the developers but remains unpatched.

Conversely, the response from Convert Plus’s team was an excellent example of how to handle a vulnerability disclosure. They responded quickly to our contact, and issued a patch for the flaw within just a few days. Once the patch went live, they published their own blog post alerting their users that an important update was available. They even highlighted the update on the plugin’s CodeCanyon page.

Convert Plus’s CodeCanyon page, featuring an alert regarding the security release.

Conclusion

In this post we shared details of a critical security flaw recently patched in the popular Convert Plus plugin for WordPress. This vulnerability has been patched as of version 3.4.3 of the plugin, and it’s crucial that all affected users patch as soon as possible. We have released a firewall rule which prevents exploits against Wordfence Premium users, which will be available to free users on June 27th.

As always, we will monitor our network for activity associated with this flaw and will update you with any noteworthy campaigns we identify.

Did you enjoy this post? Share it!

Comments

3 Comments
  • Wow. That's a serious security flaw. Thanks for revealing this to Wordfence users. Very gratifying to know that Convert Plus’s team patched it quickly. Sounds like "accidental bad coding" as opposed to malicious code.

  • One of my clients learnt an important lesson last week after succumbing to this. This vulnerability was used to install malware that searched for all WP instances on their server (4 in total, 2 of which were Woocommerce). It then injected redirection code into all themes (functions.php) on all instances. End result was an expensive clean-up bill, 2 days of lost sales & reputation.

  • Thanks Wordfence for the contribution!