11 Jan

A Case For WordPress Providing Details on Fixed Security Issues in Plugins

When it comes to providing information on security issues in web software the amount of information disclosed varies pretty widely. For WordPress security issues fixed in the core they are disclosed when the new version is released. For example, here is how they were mentioned in the most recent security release, 4.6.1:

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

For plugins, which are developed by third-parties, no information is released by WordPress. That isn’t the way that everyone handles the situation. TYPO3, for example, releases security bulletins, including for third party extensions.

In the past we have discussed the issue of WordPress keeping everyone in the dark about security issues in the current version of plugins that they are aware of. While they do remove those plugins from the Plugin Directory, that does nothing for those who are currently using them. Something we recently ran across seems to make the case that providing information on security issues that have been fixed could be useful as well.

It starts with a review from three weeks ago that we ran across recently, as part of our monitoring of the wordpress.org Support Forum for mentions of plugin vulnerabilities, for the plugin Menu Image that claimed that “Plugin applies malware/addware to your site.” The review stated that:

I just wanted to post a warning about this plugin. I have noticed various malicious scripts being added to one of my sites. After countless hours of tracking I found that Menu Image was the problem code. There seems to be an exploit or hole in your code.

We often run across reviews with claims that a plugin is the source of hacking where it is either unsupported by any evidence or where a quick check of the plugin shows that plugin could not have been the source of what happened to the website.

Others responded that they were having the same issue.

The developer responded in a way that wouldn’t seem to be appropriate even if the claim was totally false:

Please, disable the Menu-Image plugin and remove it from your wordpress site at all and never use it in future. I think this will not solve your problem. All plugin code you can check here: https://github.com/zviryatko/menu-image, compare it with that you have.

The reality is that the plugin was in fact the cause of this, something the developer was likely aware of (and certainly should have been), but also something the WordPress was in all likelihood also aware of.

If you read through all the responses on the review the cause of malicious JavaScript is a file notice.php that existed in some versions of the plugin.

What the legitimate purpose of that file was supposed be, if any, isn’t clear. The changelog entry for the version it was added in simply states “Add notification plugin.”

In a support forum thread five from months ago where someone asked why the noticed.php file was connecting to domain apistats.net the developer responded with this:

Yes, there is a strong reason for that, it’s help to make plugin work much better, also there’s no security issue, you can check the code by yourself. When you installed the plugin you saw the license agreement and you accepted it.

How it was supposed to make the plugin work much better isn’t explained.

Checking the code would just tell that it is making a request to that domain, it doesn’t explain why and wouldn’t show what would get served from that (according to one of the responses to the review malicious code was only served from that domain for part of the day).

The fact that there is a license agreement seems like a red flag, looking at what you actually get shown makes things seem even shadier, as you could easily think you are just agreeing the GPL:

The last response in that thread is from the developer, who indicates that the people on the WordPress side of things were aware of a security issue with the file:

Hello, I’ve removed all that code, when plugin will be approved by wp.org security team, it will be back again!

When the issue was resolved the changelog entry stated “Remove notification plugin. It was not a good idea btw.”, which wouldn’t give any one an indication what had really happened.

If WordPress had provided security bulletin on the issue after it was fixed it would have helped to clear up for people that dealt with this what was going on without them having to do a lot digging themselves. As this case shows relying on developer to provide that type of information isn’t always going to work out.