$493 Bounty Awarded for Arbitrary Options Update Vulnerability Patched in WP Datepicker WordPress Plugin

🎉 Did you know we’re running a Bug Bounty Extravaganza again?

Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure!

On April 14th, 2024, during our Bug Extravaganza, we received a submission for an Arbitrary Options Update vulnerability in WP Datepicker, a WordPress plugin with more than 10,000 active installations. This vulnerability could be used by authenticated attackers, with subscriber-level access and above, to update arbitrary options which can easily be leveraged for privilege escalation.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $493.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 16, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 16, 2024.

We contacted the developer Fahad Mahmood on April 16, 2024, and received a response on the same day. After providing full disclosure details the next day, the developer released the first patch on the same day. A fully patched version, 2.1.1, was released on April 19, 2024. We would like to commend Fahad Mahmood for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Datepicker, which is version 2.1.1, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The WP Datepicker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdp_add_new_datepicker_ajax() function in all versions up to, and including, 2.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options that can be used for privilege escalation. This was partially patched in 2.0.9 and 2.1.0, and fully patched in 2.1.1.

Technical Analysis

WP Datepicker is a lightweight WordPress plugin, which can be used to add a datepicker field to WordPress with many different settings.

Examining the code reveals that the plugin uses the wpdp_add_new_datepicker_ajax() function to add a new datepicker and save the settings.

function wpdp_add_new_datepicker_ajax(){

   global $wpdp_premium_link, $wpdp_dir, $wpdp_url, $wpdp_pro, $wpdp_data, $wpdp_options, $wpdp_styles, $wpdp_gen_file;

   if(isset($_POST['wpdp_add_new_datepicker']) || isset($_POST['wpdp_get_selected_datepicker']) || isset($_POST['wpdp_form_data'])){

		if (
		   ! isset( $_POST['wpdp_nonce_action_field'] )
		   || ! wp_verify_nonce( $_POST['wpdp_nonce_action_field'], 'wpdp_nonce_action' )
		) {
		
		   print __('Sorry, your nonce did not verify.', 'wp-datepicker');
		   exit;

Note: The source code has been reformatted for better readability causing the line numbers to be different.

Unfortunately, it was found that the nonce is publicly accessible on the frontend of the site and there was no capability check in this function. This makes it possible for authenticated attackers with subscriber-level permission to invoke the AJAX function.

}elseif(isset($_POST['wpdp_form_data'])){
  parse_str($_POST['wpdp_form_data'], $wpdp_form_data);

  if(isset($wpdp_form_data['wpdp'])){
      $wpdp_data_post= sanitize_wpdp_data($wpdp_form_data['wpdp']);

      $option_name = current(array_keys($wpdp_data_post));
      $options_data_array = current($wpdp_data_post);

      if(strlen($option_name)){
          update_option($option_name, $options_data_array);
      }
  }
}

Note: The source code has been reformatted for better readability causing the line numbers to be different.

Further examination of the code reveals that although the setting is limited to the plugin’s settings on the front-end of the site (i.e. the client-side), there are no restrictions on the option name or options update that happens server-side. This makes it possible to update arbitrary options by sending a direct request to the server with the option names and values that the attacker would like to update.

As with any Arbitrary Options Update vulnerability, this can be used for complete site compromise by setting the default registration role to administrator and enabling user registration (if not already enabled). Once an attacker has edited the site options to create an administrative account on the WordPress site, and registered, they can then manipulate anything on the targeted site, just like a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious AJAX action and blocks the request if it does not come from an existing authorized administrator.

Disclosure Timeline

April 14, 2024 – We receive the submission for the Arbitrary Options Update vulnerability in WP Datepicker via the Wordfence Bug Bounty Program.
April 16, 2024 – We validate the report and confirm the proof-of-concept exploit.
April 16, 2024 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
April 16, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.
April 16, 2024 – The vendor confirms the inbox for handling the discussion.
April 16, 2024 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
April 17, 2024 – The partially patched version of the plugin, 2.0.9, is released.
April 18, 2024 – The partially patched version of the plugin, 2.1.0, is released.
April 19, 2024 – The fully patched version of the plugin, 2.1.1, is released.
May 16, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary Options Update vulnerability within the WP Datepicker plugin affecting versions 2.1.0 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to edit arbitrary site options which can be used to create administrator accounts. The vulnerability has been fully addressed in version 2.1.1 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Datepicker.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on April 16, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 16, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.