Last week we looked a claim by the web security company Planet Zuda of a severe vulnerability in a popular WordPress plugin, which seemed at best to be them not fully looking into the issue before making a untrue claim as to its severity. The next day they put out another post making a similar claim of an even more popular plugin, SiteOrigin Widgets Bundle. Once again they also are selling a version of the plugin that is supposed to be patched, which possibly violates multiple laws. Also, once again there was no mention that they had notified the developer of the plugin about the vulnerabilities. This time though they didn’t provide any details of the claimed vulnerabilities, so that neither we nor anyone else could independently review their claim.
Here is how they described the claimed vulnerability:
SiteOrigin has a lot of vulnerabilities and we’ve patched the most severe one today. Based on our code review this vulnerability would allow attackers to inject malicious code into the website, deface the site and cause other damage to it. This bug among a few other bugs are patched.
When we looked over the plugin looking for a vulnerability that could match the claim we couldn’t find anything. We couldn’t even find any functionality that seemed like it could allow those things to happen if there was a vulnerability in it. We then notified the developer of the plugin, SiteOrigin, about the situation. We promptly got a response from them and we later got a follow up after they had purchased the “fixed” version of the plugin. Here is how someone from the company described the changes in that version to us:
He’s adding URL escaping for a URL that’s being passed into wp_redirect, which as far as I’m aware is already being sanitized by wp_sanitize_redirect.
He’s adding escaping to 1 variable when its defined, but we’re already escaping it on output.
The last issue he found was adding a capabilities check to an admin ajax_action. This is the one fix I agree with, but the action is already being protected by a nonce. The nonced URL is only being generated for authenticated users, but technically an attacker with access to the nonced URL would be able to enable/disable a site’s Widgets Bundle widgets until the nonce expires.
They then provided us with a copy of the “fixed” version where we saw that what they are describing there seems mostly accurate. The only difference from that we saw from what they reported is that it doesn’t look like the nonce they mentioned is actually ever created by the code, so even without the capabilities check, the code it would have protected would never run.
Overall, we would say that no actual vulnerabilities were found by Planet Zuda, much less a severe vulnerability as they described.
What makes this worse is that the developer states that Planet Zuda would not provide them any information on the claimed vulnerabilities, instead telling them they could purchase the “fixed” version like anyone else. Currently Planet Zuda is charging 19.99 for the privilege of finding out they didn’t really fix anything.
The developer, SiteOrigin, should be commended for going beyond what was necessary in trying to make sure their plugin was secure here.