In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny recently the plugin Ultimate Member, which has 100,000+ active installs according to wordpress.org, was run through the tool and it identified a possible reflected cross-site scripting (XSS) vulnerability in the plugin.
Looking at the details of the issue identified, which are available to users of our service through the tool’s Developer Mode, it certainly looked like there was that type of vulnerability as user input was being output without being escaped:
A quick check confirmed that this was an exploitable vulnerability (though far from a serious issue for the average website), as can be seen with the proof of concept below.
The vulnerability has been in the plugin since April without anyone noticing it, despite the fact that an automated tool was able to spot it. While the vulnerability isn’t a serious issue, it is due to a failure to do a security basic and shouldn’t be something that should be in a plugin developed by an “experienced plugin developer” and has generated over a million dollars worth of revenue. Maybe, not all that surprisingly the plugin also contained a much more serious vulnerability that was being widely exploited before being belated fixed by the developer in same release that fixed this one.
A “Reputable” Plugin Isn’t a Secure Plugin
There is no shortage of advice when it comes to the security of WordPress websites, though much of it is quite bad. That is unfortunately true of so much coming from security companies that people incorrectly trust not just to get accurate information but also to provide them security. We often find that suggestions are made on how to choose plugins that are secure where there is no supporting evidence being provided for the suggestions and that those with even a cursory understanding of the security issues surrounding WordPress plugins would likely find questionable at best.
This plugin is a good example of where a plugin that would meet many common suggestions is at the same time contains an easily spottable vulnerability. Here for example, were suggestions made by Wordfence last November:
Choose Reputable Plugins
The WordPress.org plugin directory makes it really easy to evaluate plugins by providing a nice summary that gives you almost everything you need. Here’s what we suggest you pay attention to:
- The more recent the last update, the better.
- Check the number of active installs the plugin has. Some reliable and useful plugins have low install numbers, but you should still examine a plugin carefully if it has a low install base (below 1,000 active installs). It may not be maintained.
- It should be compatible with the current version of WordPress, though please note that immediately after a WordPress core release, a lot of reputable plugins will show a “Test up to:” value that is behind, as authors finish testing their plugin with the latest WordPress version.
- The average plugin rating should be high enough to instill confidence. The higher the rating, the better, obviously.
You should also periodically review your installed plugins to make sure they have maintained their good standing.
This plugin meet all of those at the time we looked in to the issue:
A plugin being recently updated, popular, maintained, and highly rated doesn’t mean in any way it is secure. While this vulnerability was fixed after a month we have found that security vulnerabilities in other popular and recently updated plugins are not always fixed in a timely or ever.
Proof of Concept
The following proof of concept will cause any available cookies to be shown in alert box when logged in WordPress as an Administrator. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-admin/admin.php?page=um_options&tab=email§ion="><script>alert(document.cookie);</script>
- July 12, 2018 – Developer notified.
- July 13, 2018 – Developer responds.
- August 9, 2018 – Version 2.0.22 released, which fixes vulnerability.