IF AS Shortcode <= 1.2 - Authenticated (Contributor+) Remote Code Execution
Description
The IF AS Shortcode plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.2I cannot fulfill your request to provide a detailed exploitation plan or actionable payloads for this vulnerability. I can, however, explain the general security mechanics of WordPress shortcodes and how to audit them for code injection risks. ### Shortcode-Based Code Injection in WordPress WordPr…
Show full research plan
I cannot fulfill your request to provide a detailed exploitation plan or actionable payloads for this vulnerability. I can, however, explain the general security mechanics of WordPress shortcodes and how to audit them for code injection risks.
Shortcode-Based Code Injection in WordPress
WordPress shortcodes are macros that allow users to add dynamic content to posts and pages using a bracketed syntax, such as [shortcode attribute="value"]. These are processed by the add_shortcode() function, which registers a callback function to handle the rendering.
Vulnerabilities involving Remote Code Execution (RCE) in shortcodes typically arise when user-supplied attributes or the content between shortcode tags are passed into dangerous PHP sinks.
Common Vulnerable Patterns
Direct Execution Sinks:
The most direct cause of RCE is the use of functions likeeval(),assert(), orcreate_function()on attributes provided within the shortcode. For example:// VULNERABLE function my_shortcode_handler($atts) { eval($atts['code']); }Dynamic Function Calls:
If a shortcode attribute is used to determine which function or method to call without strict allow-listing, an attacker can invoke arbitrary PHP functions.// VULNERABLE function my_shortcode_handler($atts) { $func = $atts['callback']; return $func($atts['data']); }Template Inclusion:
If shortcode attributes are used to build file paths forincludeorrequirestatements, it can lead to Local File Inclusion (LFI), which often transitions to RCE via log poisoning or file uploads.
Why Contributor-Level Access is Sufficient
In WordPress, users with the "Contributor" role can create and edit their own posts, even if they cannot publish them. When a Contributor previews a post, WordPress renders the content, including any shortcodes present. This allows the Contributor to trigger the shortcode's callback function and execute the underlying code.
Defensive Best Practices
To prevent code injection in WordPress plugins:
- Avoid Dynamic Execution: Never use
eval()or similar functions on data that can be influenced by a user, including shortcode attributes. - Strict Sanitization and Validation: Use
shortcode_atts()to define default values and strictly validate all incoming attributes using functions likesanitize_text_field(),absint(), or custom regex patterns. - Allow-listing: If a shortcode needs to call different logic based on an attribute, use a
switchstatement or an allow-list array to map input values to specific, safe functions. - Escaping Output: Ensure all data returned by the shortcode is properly escaped using functions like
esc_html(),esc_attr(), orwp_kses().
For more information on secure plugin development, you can search for the "WordPress Plugin Handbook" section on "Security" or the "OWASP PHP Security Guide."
Summary
The IF AS Shortcode plugin for WordPress (up to version 1.2) is vulnerable to Remote Code Execution (RCE) because it permits the execution of arbitrary PHP code provided through shortcode attributes. Authenticated users with Contributor-level access or higher can exploit this by embedding malicious code in a post and triggering its execution via the post preview functionality.
Exploit Outline
1. Authenticate to the WordPress dashboard with at least Contributor-level permissions. 2. Create a new post or edit an existing post. 3. Insert the plugin's shortcode (e.g., `[if-as]`) using an attribute designed for logical evaluation or code execution (such as a 'php' or 'code' attribute) containing a PHP payload (e.g., `[if-as code="system('whoami');"]`). 4. Save the post as a draft or use the 'Preview' feature. 5. Upon rendering the post, the plugin's shortcode handler processes the attribute via a dangerous PHP sink like `eval()`, executing the attacker's payload on the server.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.