07 Apr

Who did WordPress.com VIP Put At Risk of Using an Insecure Plugin?

We recently started looking to see if some of the most popular WordPress plugins on the Plugin Directory had easy to find vulnerabilities, the results show that they do. While writing up a post on that we were reminded of the time last year we found a plugin with a known vulnerability that was also a plugin included in the WordPress.com VIP service. For a service that people pay thousands a month for, it didn’t seem that their claims about security meant much. After be reminded of that we were thinking that it would be interesting to see if the plugins from the Plugin Directory they include in that service had any easy to find security issues in them as well.

Before we even started to do that we realized we had already just found one due to our parallel look at the most popular plugins on the Plugin Directory. While looking for a related issue we had found that the Lightbox Plus Colorbox plugin (the linked page is currently missing due to the plugin being removed from the Plugin Directory, but the WordPress.com VIP page for it is still up now) has a cross-site request forgery (CSRF) / cross-site scripting (XSS) vulnerability. While this type of vulnerability is not something that is currently being widely exploited, it is fairly concerning that a plugin that has over 300,000+ active installations, according to WordPress.org, is failing to take some fairly basic security measures. Those being the use of WordPress’ protection against cross-site request forgery and the lack of sanitization of user input.

On the WordPress.com VIP page about the plugins included with their service they claim to do a security review of plugins from the Plugin Directory when they include them:

Most of the Community plugins are also available in the public WordPress.org plugin directory. Each plugin has undergone a thorough VIP code review at the time of inclusion and in some cases was modified from the public version for security or performance reasons to run on the WordPress.com VIP platform.

Let’s assume that is accurate, then are three possibilities scenarios that we can think of and none of them are good.

The first is that this plugin was included before the vulnerable code was added. The first version we found vulnerable was version 1.3.0. The plugin’s changelog on the WordPress.com VIP website goes up to, so it would seem that they were included some versions after the vulnerable code was added. Perhaps they don’t do additional security reviews after a plugin has been included, which would be a problem since, as this plugin shows, vulnerabilities can be introduced at any time.

The second possibility is that they fixed the vulnerabilities in the WordPress.com VIP version but didn’t make sure that a plugin with a known vulnerability was not allowed to remain  on the Plugin Directory, which would be fairly troubling and seemingly unethical.

The third possibility is that their security reviews are incredibly bad and missed some really basic problems.