26 Nov

Our Plugin Security Checker Now Identifies the Possibility of Vulnerabilities Like This One in a WordPress Plugin with 100,000+ Installs

We often find that the various things that we do lead to improvements in other things we do. That just came up in something that we started looking into while working on a security review of a WordPress plugin chosen by our customers that has led to an improvement in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. While looking at code in the plugin we were checking over for one reason we noticed the possibility of an open redirect vulnerability might be in the code, because of the specifics of the code that seems unlikely to be exploited, but it doesn’t look like the code was actually being used (which has been a reoccurring thing we have noticed when looking at possible vulnerable code recently). An open redirect vulnerability allows a request to one page to be redirected to an arbitrary URL, which is something spammers have been known to abuse. After seeing that code we got the idea of possibly adding a check for code similar to our Plugin Security Checker.

In doing due diligence before adding that code we took a look over the 1,000 most popular plugins available in the Plugin Directory to see what the check might pick up. We found that over 10 plugins were flagged by that. In many case it looks like those plugins should actually being using a different function that would avoid the issue. Let’s look at an example where we confirmed that there is in fact a vulnerability, though only exploitable against anyone logged in to WordPress. That would limit its usefulness to spammer, but it could be used to disguise that a hacker is trying to get a logged in user to click a link that takes them to another website that in turns causes that logged in user to exploit another vulnerability without intending it.

In the plugin Google Maps Widget, which has 100,000+ active installations according to wordpress.org, the plugin registers the function dismiss_notice() through WordPress admin_action, which makes it accessible to anyone logged in to WordPress:

91
add_action('admin_action_gmw_dismiss_notice', array('GMW', 'dismiss_notice'));

When that functions runs, as long as the GET input “notice” exists then if the GET input “redirect” exists, the website will redirect to the address specified in it using wp_redirect():

475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
  static function dismiss_notice() {
    if (empty($_GET['notice'])) {
      wp_redirect(admin_url());
      exit;
    }
 
    if ($_GET['notice'] == 'upgrade') {
      GMW::set_options(array('dismiss_notice_upgrade2' => true));
    }
    if ($_GET['notice'] == 'rate') {
      GMW::set_options(array('dismiss_notice_rate' => true));
    }
    if ($_GET['notice'] == 'api_key') {
      GMW::set_options(array('dismiss_notice_api_key' => true));
    }
    if ($_GET['notice'] == 'olduser') {
      GMW::set_options(array('dismiss_notice_olduser' => true));
    }
 
    if (!empty($_GET['redirect'])) {
      wp_redirect($_GET['redirect']);
    } else {
      wp_redirect(admin_url());
    }
 
    exit;
  } // dismiss_notice

Looking at that code and the other code in the plugin it seems to us that the URL intended to be redirected to should only be to an address on the same website, so what should be used there is wp_safe_redirect(), which only allows redirects to other addresses on the same website.

You can now check if plugins you use possibly have the same type of issue (as well as quite a few other types of issues) with our Plugin Security Checker. We also added a check for another variant of this issue, though we didn’t find any of the 1,000 most popular plugins were impacted.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Proof of Concept

The following proof of concept will redirect you to our homepage, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?action=gmw_dismiss_notice&notice=test&redirect=https://www.pluginvulnerabilities.com

Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

One thought on “Our Plugin Security Checker Now Identifies the Possibility of Vulnerabilities Like This One in a WordPress Plugin with 100,000+ Installs

  1. Pingback: Podcast de Seguridad WordPress: WPZ 112 | World of WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *