20 Mar

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability Being Added to Analytics-Gtag

When it comes to our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities usually the code getting flagged by that is deep inside of other code, so confirming there is a vulnerability requires a bit of work. That wasn’t the case with the code added to the latest version of the plugin Analytics-Gtag that creates a restricted file upload vulnerability, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

The new version of the plugin adds a file named creator.php, which will take the value of the GET input “param4”:

$form7 = $_GET['param4'];

and save it as the contents of the file AGevents.js:

if($form7 != undefined){file_put_contents("AGevents.js", $form7);};

The other code in that file takes the content of other user input and save it to the file AGviewpage.js.

Other code in the plugin will cause those files to sometimes be loaded when visiting the website.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Proof of Concept

The following proof of concept will save the specified user input to the file /wp-content/plugins/analytics-gtag/AGevents.js.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[file contents]” with the contents to be placed in the file.

http://[path to WordPress]/wp-content/plugins/analytics-gtag/creator.php?param4=[file contents]

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.