Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring requests to the REST API endpoint `/wp-json/post-duplicator/v1/duplicate-post` that include the `customMetaData` JSON array parameter containing protected meta keys (those starting with an underscore, e.g., `_wp_page_template`, `_wp_attached_file`).'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows authenticated users with Contributor-level access and above to insert arbitrary protected post meta, detection involves checking for unusual or unauthorized POST requests to this endpoint.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts include:'}, {'type': 'list_item', 'content': 'Using web server logs (e.g., Apache or Nginx) to search for POST requests to `/wp-json/post-duplicator/v1/duplicate-post` with suspicious payloads containing protected meta keys.'}, {'type': 'list_item', 'content': "Example command to search Apache logs for such requests: `grep 'POST /wp-json/post-duplicator/v1/duplicate-post' /var/log/apache2/access.log | grep '_wp_'`"}, {'type': 'list_item', 'content': 'Using tools like `curl` or `httpie` to manually test the endpoint with crafted payloads to verify if protected meta keys can be inserted.'}, {'type': 'list_item', 'content': 'Monitoring WordPress REST API logs or enabling debug logging to capture calls to the vulnerable endpoint.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Update the Post Duplicator plugin to a version later than 3.0.8 where this vulnerability is fixed.
• If an update is not immediately possible, restrict access to the `/wp-json/post-duplicator/v1/duplicate-post` REST API endpoint to trusted users only, ensuring that only users with appropriate permissions can access it.
• Temporarily disable or remove the Post Duplicator plugin if it is not essential.
• Monitor logs for suspicious activity targeting the vulnerable endpoint and protected meta key insertion attempts.
• Review user roles and permissions to ensure that only trusted users have Contributor-level access or higher.

Useful 0 Not Useful 0

Executive Summary

The Post Duplicator plugin for WordPress has a vulnerability in all versions up to and including 3.0.8 that allows unauthorized insertion of protected post meta data. This happens because the plugin's duplicate_post() function directly uses the database insert method ($wpdb->insert()) on the wp_postmeta table instead of using WordPress's standard add_post_meta() function. The standard function would normally prevent lower-privileged users from setting protected meta keys (those starting with an underscore, such as _wp_page_template or _wp_attached_file). Because of this, authenticated users with Contributor-level access or higher can inject arbitrary protected meta keys into duplicated posts by sending them via the customMetaData JSON array parameter to the /wp-json/post-duplicator/v1/duplicate-post REST API endpoint.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers with Contributor-level access or above to manipulate protected post meta data that should normally be restricted. By injecting arbitrary protected meta keys, attackers could potentially alter sensitive post attributes such as page templates or attached files. This could lead to unauthorized changes in how posts are displayed or managed, possibly enabling privilege escalation, content manipulation, or other unintended behaviors within the WordPress site.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0