Introduction
Attackers have gained administrative access to WordPress sites running the Platform theme by exploiting a critical flaw that requires no authentication or user interaction. This vulnerability has enabled privilege escalation attacks, resulting in full site compromise and persistent unauthorized access.
About the Platform Theme and Pagelines
Pagelines was a prominent WordPress theme developer in the early 2010s, with the Platform theme being one of its flagship products. At its peak, the Platform theme powered tens of thousands of WordPress sites, particularly among small businesses and agencies seeking drag-and-drop functionality. The company was later acquired by DraftPress, and the Platform theme has since been discontinued, but legacy installations remain in use.
Technical Information
CVE-2015-10143 is a critical privilege escalation vulnerability in the Platform theme for WordPress. The flaw resides in the *_ajax_save_options() function, which is accessible via the standard WordPress admin-ajax.php endpoint. This function was intended to allow administrators to update theme options via AJAX requests. However, it fails to include a capability check (such as current_user_can('manage_options')), meaning any user—including unauthenticated visitors—can invoke it.
By sending a POST request to /wp-admin/admin-ajax.php with the action parameter set to pagelines_ajax_save_options, an attacker can supply arbitrary options to be updated. For example, setting users_can_register to 1 and default_role to administrator will enable public registration and assign new users the administrator role. The attacker can then register a new account and immediately gain full administrative privileges on the site.
This vulnerability affects all versions of the Platform theme prior to 1.4.5. The root cause is the absence of a permission check in the AJAX handler, allowing unauthenticated modification of sensitive WordPress options.
Patch Information
The Wazuh team has introduced a significant update to their ruleset, enhancing the detection capabilities for various security events. This update includes the addition of new rules and decoders for multiple services and platforms, thereby broadening the scope of monitored activities.
Key Additions:
- Carbanak Detection Rules: New rules have been implemented to detect activities associated with the Carbanak malware, a notorious banking Trojan.
- Cisco FTD Rules and Decoders: Enhancements have been made to monitor Cisco Firepower Threat Defense (FTD) devices, improving network security monitoring.
- AWS EKS Service Decoders: Decoders for Amazon Elastic Kubernetes Service (EKS) have been added, facilitating better monitoring of containerized applications.
- F5 BIG-IP Ruleset: Rules have been introduced to monitor F5 BIG-IP devices, aiding in the detection of potential threats to application delivery controllers.
- GCP VPC Storage, Firewall, and Flow Rules: New rules have been added to monitor Google Cloud Platform's Virtual Private Cloud (VPC) storage, firewall, and flow logs, enhancing cloud infrastructure security.
- GitLab v12 Ruleset: Rules have been implemented to monitor GitLab version 12, ensuring the security of DevOps pipelines.
- Microsoft Exchange Server Rules and Decoders: Enhancements have been made to detect and monitor events related to Microsoft Exchange Server, improving email server security.
- Microsoft Windows Persistence Detection: New rules have been added to detect persistence mechanisms in Windows systems via registry keys, aiding in the identification of potential malware.
- Oracle Database 12c Rules and Decoders: Rules have been introduced to monitor Oracle Database 12c, enhancing database security.
- Cloudflare WAF Rules: New rules have been added to monitor Cloudflare Web Application Firewall (WAF) events, improving web application security.
- ESET Remote Console Ruleset: Rules have been implemented to monitor ESET Remote Administrator Console, aiding in endpoint security management.
- GitHub Audit Logs Ruleset: New rules have been added to monitor GitHub audit logs, enhancing the security of code repositories.
- Palo Alto v8.X - v10.X Ruleset: Rules have been introduced to monitor Palo Alto Networks devices running versions 8.X to 10.X, improving firewall security monitoring.
- Sophos UTM Firewall Ruleset: New rules have been added to monitor Sophos Unified Threat Management (UTM) firewalls, enhancing network security.
- Wazuh-API Ruleset: Rules have been implemented to monitor Wazuh API events, aiding in the security of the Wazuh management interface.
Security Configuration Assessment (SCA) Policies:
In addition to the above rules, the update includes new SCA policies for various operating systems and applications, such as:
- Amazon Linux 1 and 2
- Apple macOS 10.14 Mojave, 10.15 Catalina, and Big Sur
- Microsoft IIS 10 and SQL 2016
- MongoDB 3.6
- NGINX
- Oracle Database 19c
- PostgreSQL 13
- SUSE Linux Enterprise Server 15
- Ubuntu 14, 16, 18, and 20
- Solaris 11.4
These policies provide guidelines and checks to ensure that systems are configured securely, aligning with industry best practices.
By incorporating these updates, Wazuh enhances its ability to detect and respond to a broader range of security events across diverse environments, thereby strengthening overall cybersecurity posture.
Reference: Wazuh Changelog 4.3.0
Affected Systems and Versions
- Platform theme for WordPress, all versions prior to 1.4.5
- Sites with the Platform theme installed and active are vulnerable
- The vulnerability is present regardless of other WordPress configuration settings
Vendor Security History
Pagelines has experienced several security issues in its products over the years. Notable examples include a remote code execution vulnerability in Platform Pro (CVE-2014-100001) and a cross-site scripting vulnerability in the BaseTheme product line. Pagelines typically responded to vulnerabilities with patches, but legacy products like Platform have been discontinued, leaving some sites exposed if not updated or migrated.