Researchers unearthed two vulnerabilities in a well-known plugin for WordPress, called Advanced Access Manager. The plugin has more than 100,000 installations. One of the security issues is severe and could lead to privilege escalation and site takeover, so if your site is using the plugin, update it immediately.
The Wordfence Threat Intelligence team, known for its work towards making the CMS more secure discovered the vulnerabilities. The team got in touch with the plugin’s authors and promptly received a response. As a result, a patch was released shortly after the disclosure. If your site utilizes the plugin, you should install version 6.6.2 to avoid any potential cyberattacks.
Advanced Access Manager Vulnerabilities
The more severe vulnerability leads to authenticated Authorization Bypass and Privilege Escalation, with a CVSS score of 7.5.
Advanced Access Manager enables fine-grained access control and can assign multiple roles to a single user. If the “Multiple Roles Support” setting is active, the plugin is prone to authenticated authorization bypass. Privilege escalation is another attack scenario.
The second vulnerability could lead to authenticated information disclosure. Its severity score is 4.3 (medium).
Advanced Access Manager also allows users to login via the WordPress REST API. The plugin’s aam/v1/authenticate and aam/v2/authenticate REST endpoints were set to respond to a successful login with a json-encoded copy of all user metadata. This exposed users’ information to an attacker or low-privileged user. Exposed items include the user’s hashed password and permissions and roles. Any custom metadata that might have been added by other plugins could also be revealed.
Wordfence recommends updating to the latest version of the Advanced Access Manager plugin, version 6.6.2.
This month, the same researchers unveiled two security flaws in another plugin – Quiz and Survey Master (QSM).
The flaws, rated as critical, could lead to remote code execution attacks. In these attacks, hackers upload arbitrary files or delete files such as wp-config.php from the targeted site. These actions could lead to taking affected pages offline or taking control over them.
Follow HowToHosting.Guide for more WordPress security news.