06 Dec

WordPress Plugin Security Review: WP Email Delivery

For our 21st security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin WP Email Delivery.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 1.1.2.7 of WP Email Delivery. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found two relatively minor issues. We notified the developer of the issue a week ago, but we haven’t heard back from them and no changes have been made to the plugin yet.

Test Email Sending

The plugin has functionality for sending a test email, which is intended to be sent by logged in Administrators, seeing as the frontend for that is plugin’s admin page, which is accessible only to uses with the “manage_options” capability that only Administrators normally have. The code that handles the request for that though is accessible to anyone even if they are not logged in.

Checking if a request to do that is handled in the function register_settings():

414
415
416
if(isset( $_POST[ $this->base .'test_email' ] )){
	$this->send_test_email();	
}

That function runs during admin_init, which will run when accessing the right page even if someone is not logged in:

48
add_action( 'admin_init' , array( $this, 'register_settings' ) );

The functions that handle the sending of the test email, starting with send_test_email(), don’t do any security checks, so they don’t limit who can send the test email.

What makes this of limited use for abuse is that the only user specified part of the email is the email address that it is being sent, so it couldn’t be abused to spend spam.

Lack of Protection Against Direct Access to PHP Files

Two .php files, /includes/misc-functions.php and /includes/legacy/wped.wp-mail.php, in the plugin are not intended to be directly accessed but do not contain protection against direct access. In one of them nothing runs when accessing it directly because it only defines functions and the other it hits a fatal error when trying to run the first line of code, so there is nothing exploitable if they are accessed. Other files in the plugin do contain protection against that.

Leave a Reply

Your email address will not be published. Required fields are marked *