For our fourteenth security review of a plugin based on the voting of our customers, we reviewed the plugin Archive Control.
If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here.
The review was done on version 1.3.3 of Archive Control. We checked for the following issues:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of plugins
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
Lack of protection against unintended direct access of PHP files
- Insecure and unwarranted requests to third-party websites
We found two very minor issues with possible security implications, but not any vulnerabilities, in our review. We notified the developer of them a week ago.
Lack of Protection Against Direct Access to Files
Three of four of the plugin’s .php files with code in them, lack a check at the beginning of the files to restrict direct access to them. We didn’t see anything that could be exploited in the files without the restriction in place.
Unwarranted Request to Third-Party Website
On the settings page of the plugin the plugin loads two hidden images from a third-party website, https://www.paypalobjects.com/en_US/i/btn/btn_paynow_LG.gif and https://www.paypalobjects.com/en_US/i/scr/pixel.gif, as part of a PayPal form. It doesn’t look like those actually need to be included in the form to make it work and therefore could be removed.