Yesterday we noted that the developer of the WordPress security plugin Security Ninja plugin isn’t doing a great job with the security of their plugins. In the latest example, they could have spotted an issue before we are publicly disclosing it by simply checking the plugin with our Plugin Security Checker, which identifies possible security issues in WordPress plugins. While looking into the details of another instance of them fixing a vulnerability we had identified in one of their plugins while working on an improvement to the Plugin Security Checker, this time with the plugin Nifty Coming Soon & Maintenance page we ran the plugin through our tool and saw that it got flagged for possibly including a vulnerable version of the plugin Option Tree:
The vulnerability being referred to there is one we disclosed on November 6 after looking into the plugin due to its inclusion in another plugin.
A quick check confirmed that this plugin also contains an authenticated PHP object injection vulnerability due to that.
This plugin loads the file containing the vulnerable code from Option Tree near the end of its main file:
From there you get to an authenticated PHP object injection that is normally exploitable by users with the Contributor role and above, due to the code explained in the previous post.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).
Plugin developers can avoid issues like this being disclosed by checking their plugins with the Plugin Security Checker and fixing any possible issues that turn out to be vulnerabilities. While the tool certainly can’t identify every security vulnerability in a plugin, it can help them to avoid a lot of easier to spot issues.
Proof of Concept
With our plugin for testing for PHP object injection installed and activated, the following proof of concept will cause the message “PHP object injection has occurred.” be shown, when logged in to WordPress.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[nonce]” with a valid nonce. The valid nonce can be found in the source code of the page to create or edit a post on the line that starts “var option_tree”.
http://[path to WordPress]/wp-admin/admin-ajax.php?action=add_list_item&nonce=[nonce]&settings=TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=