01 Sep

Not Really a WordPress Plugin Vulnerability – Week of September 1, 2017

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post when that occurs detailing those issues.

SQL Injection Vulnerability in Photo Gallery by WD

In the report for a claimed SQL injection vulnerability in Photo Gallery by WD it is stated that access to the vulnerability is limited:

Additional: function bwg_edit_tag() has a checking about user permission, so administrator permission is required to trigger this vulnerability.

Checking the code, it specifically requires the “manage_options” capability, which normally only Administrators have and if others had the capability they normally would be able to create Administrator accounts using what that capability provides:

function bwg_edit_tag() {
  if (function_exists('current_user_can')) {
    if (!current_user_can('manage_options')) {

On its own this really isn’t a vulnerability since among other things, Administrators could normally remove any security protection in a plugin. With the information provided it sounded possible that the vulnerability might be exploitable through cross-site request forgery (CSRF), which can cause someone to take an action they didn’t intend to. Though looking several lines further in to the function bwg_edit_tag() shows that there is in fact a check to prevent that from occurring:

  if (!WDWLibrary::verify_nonce('')) {
    die('Sorry, your nonce did not verify.');

Worth noting is that while many fixes for real vulnerabilities don’t get mentioned in changelog the change made related to this was, “Fixed: Security issue”. The change made was to use a prepared statement for SQL statement, which would have fixed this if there really was a vulnerability and doesn’t hurt to have done anyway.