19 Apr

Closures of Very Popular WordPress Plugins, Week of April 19

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and one has yet to have been reopened.

Simple Share Buttons Adder

Simple Share Buttons Adder, which has 100,000+ installs, was closed on Monday. No explanation has been given for the closure. In a quick check over the plugin we didn’t find any security vulnerabilities.

The website of the developer had been hacked though. The hack of the website looks to have been done by changing the WordPress option siteurl, which could be done through an option update vulnerability in a plugin. We looked for that type of vulnerability in the plugin, but didn’t see it, but maybe someone else can spot something we didn’t.

The plugin returned yesterday. The website is no longer outwardly hacked as it was previously.

Platinum SEO Pack

Platinum SEO Pack, which has 60,000+ installs was closed on Tuesday. No explanation has been given for the closure. In a quick check over the plugin we didn’t find any security vulnerabilities.

We did find a potential issue, though as far we are can tell it doesn’t look exploitable.

With a default option enabled, the function has_permalink_changed() will run when visiting frontend pages of the website:

2372
2373
2374
if (get_option('psp_permalink_redirect')) {
	add_action( 'template_redirect', array($psp, 'has_permalink_changed') );
}

If the page being requested doesn’t exist then part of the URL will be passed to the function does_post_exist():

121
122
123
124
125
126
127
128
129
function has_permalink_changed() {
 
	if( is_404() ) {
 
		$slug = basename( $_SERVER['REQUEST_URI'] );			 
 
		$exts=array("/",".php",".html",".htm");
 
		// works with PHP version <= 5.x.x foreach( $exts as $ext ) { $slug = str_replace( $ext, "", $slug ); $slug = trim($slug); } if( $ID = $this->does_post_exist( $slug )) {

So user input is being passed directly into a SQL statement:

97
98
99
100
101
function does_post_exist( $slug ) {
 
	global $wpdb;
 
	if( $ID = $wpdb->get_var( 'SELECT ID FROM '.$wpdb->posts.' WHERE post_name = "'.$slug.'" AND post_status = "publish" ' ) ) {

It is inserted in double quote marks and in our quick test you couldn’t include those in the URL to break out of that, so it looks at first glance that you can’t cause SQL injection with that, though exploitation isn’t our forte.