26 Oct

The Need for More Systematic Reviewing of the Security of WordPress Plugins

Yesterday we full disclosed a PHP object injection vulnerability in the plugin Give, which has 50,000+ active installations according to wordpress.org. One of the ways that could be exploited is through cross-site request forgery (CSRF) and we noted the following in relation to that:

There is no check for a nonce to prevent CSRF before that occurs or it appears at all in that function, which might allow for other security issues. The plugin looks like it might be very insecure, which is exactly why the Plugin Security Checker’s limited checking can be so useful in identifying plugins that could use a more thorough review.

Between when we had written that post and when we published it, version 2.3.0 of the plugin was released. One of the changelog entries for this is:

  • Tweak: When changing payment gateways a nonce is verified for additional security. #2580

That is a reference to fixing a cross-site request forgery (CSRF) vulnerability in the plugin, though one that seems of much less consequence since it looks like it only would allow changing a payment method being used for a donation. That was first brought up in December of 2017, so it sat there unfixed for quite a while.

What seems more important though is that this identification doesn’t appear to have lead to a wider to check if there were more CSRF issues in the plugin, so the one we noticed still exists in 2.3.0. This wouldn’t be the first time we have seen a plugin have one instance of a vulnerability get fixed, while other instances remain.