For our eleventh security review of a plugin based on the voting of our customers, we reviewed the plugin WP-SpamShield.
If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here.
The review was done on version 1.9.10 of WP-SpamShield. We checked for the following issues:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
Lack of protection against unintended direct access of PHP files
We found no issues with any of the checked items in version 1.9.10 of WP-SpamShield.
Through our monitoring of the WordPress Support Forum for new vulnerabilities in WordPress plugins we did run across something in the plugin that is concerning and is now something that we are looking to possible incorporate some checking for in future reviews.
For a reason that doesn’t seem to be necessary to us the plugin is reporting the WordPress version in use, the address of the WordPress installation, and its IP address to a third-party website without the plugin providing disclosure that this is happening.
The cause of that is that the plugin checks if there are vulnerabilities in the installed version of WordPress by sending a request the wpvulndb.com with the following code:
$wpv = str_replace( '.', '', WPSS_WP_VERSION ); $url = 'https://wpvulndb.com/api/v2/wordpresses/'.$wpv; $inf = 'https://wpvulndb.com/wordpresses/'.$wpv; $wps = 'https://wpvulndb.com/'; $http_args = array( 'timeout' => 10, 'decompress' => FALSE, 'httpversion' => '1.1', ); $resp = wp_remote_get( $url, $http_args );
Why that is in an anti-spam plugin is something we don’t understand.
While we have no reason to believe the data is being misused, but for a WordPress installation that isn’t meant to access to the public it has the possibility to expose information that isn’t meant to be known outsiders.