Image Upload Capability in WordPress Plugin Being Abused
The security industry has more than its fair share of snake oil and hucksters, which seems like it can be explained in part due to the fact that people that don’t know and or care about security can make claims that those more knowledgeable would never make. For example, somebody that has a basic understanding of security wouldn’t claim their WordPress security plugin “stops you from getting hacked” because a WordPress plugin would not have any chance of stopping certain types of attacks (yet somehow the most popular plugin makes this claim). Not only is security extremely complicated, but things are frequently changing, so you need to keep adjusting as new threats come about and existing ones change. Along those lines we thought it important to share something we ran across yesterday about the abuse of a popular plugin’s intended functionality.
One of the ways we keep track of plugin vulnerabilities out there is by monitoring the WordPress Support Forum for threads that might be relevant. Through that, this week have added three newly disclosed vulnerabilities that exist in the most recent version of their respective plugins, including one in a plugin with 1+ million active installs, to our data set,. Those are vulnerabilities you won’t find in any other source of WordPress plugin vulnerabilities data due to no one else doing the kind of extensive monitoring we do. Through that monitoring we also came across a report of abuse of the image upload capability in the plugin WP Job Manager.
That relates to a post we wrote just about a month ago looking in to a claim that a vulnerability in the plugin had been fixed that had allowed website defacements due to those not logged in to WordPress being able to upload images through the plugin’s AJAX functionally. The claim didn’t really make a lot of sense for two reasons. First we didn’t understand how uploading an image could allow a website to be defaced in normal circumstances. But more importantly we didn’t understand how the change made was supposed to fix the issue since by default those that didn’t already have a WordPress accounts could still upload images through the plugin.
The thread we ran across indicates the abuse of that image upload capability, but not for website defacement, at least in any way we have heard the term used before. Here is how an impacted user explained it in a series of posts:
We have seven websites running WP JOB MANAGER plugin and all have been infected and one even blocked by the domain registrar!!
Please, we need an urgent solution to this.
How were the websites “infected”:
In all cases it was either gif or jpg.
This triggered some strange security warning from some security company and one domain even got blocked based on this (until I removed the file).
Also my host was warned.
So what were the images being used for:
The uploaded file is a phishing/spam use and our site gets the responsibility.
Very dangerous! I hope there is a solution for this.
Or a way to turn off image upload? Not like many employers are even using it.
The plugin is developed by Automattic, the company closely associated with WordPress, and the response from one of the developers doesn’t seem to reassuring about their ability to handle complex issues:
@gstar@rogier1988@etheos sorry for the slow response here. Yes, there was a vulnerability reported and we updated the plugin immediately after some discussion. The update was release 29 days ago. Here is the changelog with a link to the issue:
https://github.com/Automattic/WP-Job-Manager/blob/master/changelog.txt
I added an announcement and sticky post about this on the forum which can be found here: https://wordpress.org/support/topic/wp-job-manager-1-26-2-released/
Can you please check the version of WPJM you are running and confirm to us which version you are using. If you are using 1.26.2 and there is a new vulnerability we need to get that sorted out.
As we mentioned before, the change made in that version didn’t seem to resolve an issue since by default those that didn’t already have a WordPress accounts could still upload images through the plugin. This seems like a good time to remind people that we are always available to provide free help to developers dealing with security issues in their plugins, seeing as if we were contacted about the issue we would have pointed this out at the time.
The problem with this type of issue is that the activity of uploading image is intended, so ideally you would try to stop it from being abused without hindering its intended use. In the case of this plugin, one plausible solution that sounds like it could limit the abuse is to resize large images to the smaller size they are actually shown by the plugin, but for other plugins it might be more difficult.