Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin

On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, if the targeted site has the ‘Role Management’ setting enabled.

Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023.

We performed our initial outreach to the developer on April 5, 2023, the same day we discovered the vulnerability. We received a response the same day and sent over the full details. The developer released a patch swiftly the next day on April 6, 2023.

We’d like to say a special thanks to the lead developer of WP Data Access, Peter Schulz, who provided an exemplary example of how security issues should be handled by responding immediately and releasing a patch the next day.

We strongly recommend ensuring that your site has been updated to the latest patched version of WP Data Access, which is version 5.3.8 at the time of this publication.

Vulnerability Summary from Wordfence Intelligence

The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘wpda_role[]‘ parameter during a profile update. This requires the ‘Enable role management’ setting to be enabled for the site.

Vulnerability Analysis

WP Data Access is a WordPress plugin designed to make data table creation in WordPress more intuitive and easier to manage for site owners. One feature of the plugin is the ability to enable role management, which makes it possible for a site owner to create custom roles and assign multiple roles to different users. Unfortunately, this functionality was insecurely implemented making it possible for authenticated users to assign any role to themselves, including the administrative role.

Taking a closer look at the code, we see that the ‘multiple_roles_update‘ function used to assign a user’s new roles upon updating a profile is hooked via ‘’profile_update‘’. This hook is triggered immediately after any user profile is updated and it does not perform any sort of authorization checks on the user performing the action. As such, this means that any update to a user’s profile, including on the profile.php page, will invoke the hooked function ‘multiple_roles_update‘.

This makes it possible for any authenticated users with an account, such as subscribers, to invoke the ‘multiple_roles_update‘ function.

 $this->loader->add_action( 'profile_update', $wpda_roles, 'multiple_roles_update' );

If the associated function had a capability check, then it may have prevented these users from fully executing the function, however, that was not the case. Reviewing the hooked function, we see a check verifying that the role management setting is enabled, but nothing more. The function then determines the user and looks for the ‘wpda_role‘ array parameter from a given request. If present, it will process the supplied roles and add the role and applicable permissions to the user retrieved in the first step.

This made it possible for authenticated users, such as a subscriber, making profile updates to supply the ‘wpda_role‘ array parameter with any desired roles, such as administrator, during a profile update that would be granted immediately upon save of the profile updates.

public function multiple_roles_update( $user_id ) {
   if ( ! $this->is_role_management_enabled ) {
      return;
   }

   $wp_user = new \WP_User( $user_id );
   if ( isset( $wp_user->data->user_login ) ) {
      $user_login = $wp_user->data->user_login;
      // Get access to editable roles
      global $wp_roles;
      if ( isset( $_REQUEST['wpda_role'] ) && is_array( $_REQUEST['wpda_role'] ) ) {
         // Process roles
         $sanitized_roles = array();
         foreach ( $_REQUEST['wpda_role'] as $new_user_role ) { // phpcs:ignore WordPress.Security.ValidatedSanitizedInput
            $sanitized_new_user_role = sanitize_text_field( wp_unslash( $new_user_role ) ); // input var okay.
            $wp_user->add_role( $sanitized_new_user_role );
            $sanitized_roles[ $sanitized_new_user_role ] = true;
         }

         // Remove unselected roles
         foreach ( $wp_roles->roles as $role => $val ) {
            if ( ! isset( $sanitized_roles[ $role ] ) ) {
               $wp_user->remove_role( $role );
            }
         }
      } else {
         // BUG!!! REMOVED!!!
         // When plugin role management is enabled, this removes all user roles when a user updates his profile.
         // foreach ( $wp_roles->roles as $role => $val ) {
         // $wp_user->remove_role( $role );
         // }
      }
   }
}

As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Disclosure Timeline

April 5, 2023 – Discovery of the Privilege Escalation vulnerability in WP Data Access. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
April 5, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
April 5, 2023 – The vendor confirms the inbox for handling the discussion.
April 5, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 6, 2023 – A fully patched version of the plugin, 5.3.8, is released.
May 5, 2023 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we detailed a flaw in the WP Data Access plugin that enabled authenticated attackers, with at least subscriber-level access to a site, to elevate their privileges to that of a site administrator which could ultimately lead to complete site compromise. This flaw has been fully patched in version 5.3.8.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 5.3.8 at the time of this publication.

Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 5, 2023. Sites still using the free version of Wordfence will receive the same protection on May 5, 2023.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to a complete site takeover.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.