For our 23nd security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Share Buttons by AddThis (WordPress Share Buttons Plugin – AddThis).
If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.
The review was done on version 6.1.8 of Share Buttons by AddThis. We checked for the following issues during this review:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
- Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
SQL injection vulnerabilities (the code that handles requests to the database)
Reflected cross-site scripting (XSS) vulnerabilities
- Security issues with functions accessible through any of the plugin’s shortcodes
- Security issues with functions accessible through the admin_action action
- Security issues with functions accessible through the admin_init action
- Security issues with import/export functionality
- Security issues with usage of is_admin()
- Security issues with usage of add_option(), delete_option(), and update_option()
- Host header injection vulnerabilities
Lack of protection against unintended direct access of PHP files
- Insecure and unwarranted requests to third-party websites
- Any additional possible issues identified by our Plugin Security Checker
We found a couple of very minor issues with the plugin. We notified the developer of the issue a couple of weeks ago and they responded that the information has been passed on to their engineering team. No changes have been made to the plugin yet.
The function getInlineCodeForShortCode() in the file /backend/AddThisPlugin.php can output a value from a low privileged user when it is called by the function shortCodeByDomClass(), as it takes a value specified when a shortcode is used. While it looks like that value would already be sanitized by WordPress, it could be made more secure by escaping the value using esc_attr(). That occurs on the line:
$html .= '<div class="'.$cssClass.' addthis_tool"></div>';
Lack of Protection Against Direct Access to Files
The plugin’s .php files lack code at the beginning of the files to restrict direct access to them. We didn’t see anything that could be exploited in the files without the restriction in place.