Back in November we announced that we would be doing security reviews of WordPress plugins selected by our customers. We recently got the first suggestions/votes for plugins to review and started doing the reviews based on the results so far (if you are a customer and haven’t suggested plugins or voted for those suggested by others you can do that here). The first review identified a number of issues, which we have notified the developer of, but so far we have not heard back from them and they have not been fixed, so we are holding back releasing the results of that at the moment. In the meantime we have completed the second review, which was done on version 2.2.1 of SSL Insecure Content Fixer.
Since we announced this feature of the service we have added one item to those that we check during the review, deserialization of untrusted data, which can lead to PHP object injection. We have recently seen several cases where that type of vulnerability either was being exploited or likely being exploited in WordPress plugins. The full list of items we checked for during the review are:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
Lack of protection against unintended direct access of PHP files
We found no issues with any of the checked items in version 2.2.1 of SSL Insecure Content Fixer.