27 Nov

Developer of WordPress Security Plugin Fails to Implement Basic Security Checks in Another of Their Plugins

If you were not too familiar with the security industry you would probably assume that if a company is the developer of a WordPress security plugin then other plugins they make would be quite secure. That turns out to not be the case with the developer of the Security Ninja plugin. Yesterday we full disclosed a minor vulnerability in one their other plugins, Google Maps Widget, which has 100,000+ installs according to WordPress.org. Then today we saw that they fixed a similar issue in another of their plugins, Minimal Coming Soon & Maintenance Mode, which has 60,000+ installs. In a reminder of how insecure some plugins are (even if the developer also has a security plugin), when we looked at the code being changed to fix that we noticed that in the same function there is another more serious vulnerability, one that wasn’t fixed.

The vulnerability allows anyone logged in to WordPress to disable the website by enabling the plugin’s maintenance mode. The vulnerability would also allow an attacker that gets someone logged in to WordPress that clicks a link the attacker creates to cause the website to be disabled as well. That is due to the failure of the developer to implement two rather basic security checks in the code.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue through the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Technical Details

The plugin makes the function change_status() available to anyone logged in to WordPress through by registering it as an “admin_action”:

80
add_action('admin_action_csmm_change_status', array(__CLASS__, 'change_status'));

The code in that function will change the plugin’s “status” option:

97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
  // change status via admin bar
  static function change_status() {
    if (empty($_GET['new_status'])) {
      wp_safe_redirect(admin_url());
      exit;
    }
 
    $options = csmm_get_options();
 
    if ($_GET['new_status'] == 'enabled') {
      $options['status'] = '1';
    } else {
      $options['status'] = '2';
    }
 
    update_option('signals_csmm_options', $options);
 
    if (!empty($_GET['redirect'])) {
      wp_safe_redirect($_GET['redirect']);
    } else {
      wp_safe_redirect(admin_url());
    }
 
    exit;
  } // change_status
} // class csmm

When a request is sent that accesses that function with the GET input “new_status” set to “enabled” that will enable the maintenance mode of the plugin.

What should be in that code, but isn’t, is a capabilities check to make sure the user making the request to enable the maintenance mode should be allowed to do that (it looks like it should be limited to users with the Administrator role) and a check for a valid nonce to protect against cross-site request forgery (CSRF) to prevent someone being able to get an Administrator to unintentionally turn that on by clicking a link like the one shown in the proof of concept below.

Proof of Concept

The following proof of concept will turn on the plugin’s maintenance mode, when logged in to WordPress.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?action=csmm_change_status&new_status=enabled

Concerned About The Security of the Plugins You Use?

Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

Leave a Reply

Your email address will not be published. Required fields are marked *