WordPress Plugin Security Review: Shareaholic
For our 30th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Shareaholic.
If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.
The review was done on version 8.12.3 of Shareaholic. We checked for the following issues during this review:
- Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
- Deserialization of untrusted data
- Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
- Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
- Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
- Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
-
SQL injection vulnerabilities (the code that handles requests to the database)
-
Reflected cross-site scripting (XSS) vulnerabilities
- Security issues with functions accessible through any of the plugin’s shortcodes
- Security issues with functions accessible through the admin_action action
- Security issues with functions accessible through the admin_init action
- Security issues with import/export functionality
- Security issues with usage of is_admin()
- Security issues with usage of add_option(), delete_option(), and update_option()
- Host header injection vulnerabilities
-
Lack of protection against unintended direct access of PHP files
- Insecure and unwarranted requests to third-party websites
- Any additional possible issues identified by our Plugin Security Checker
Results
We found several areas where there at least could be security improvements made. We notified the developer of those a week ago, but we haven’t heard back from them and no changes have been made to the plugin so far.
Settings Sanitization/Validation
In the function advanced_admin() in the file /utilities.php the security could be improved by doing some combination of sanitization and validation of the new values for settings, though the ability to change the settings is properly restricted, so there isn’t a vulnerability there.
AJAX Issues
Various AJAX accessible functions look like they could use improvements.
With the function sdk_info(), it clearly is only meant to be accessed by logged in users since it first makes sure the requester has a capability:
if (!current_user_can('activate_plugins')) { |
So the function is unnecessarily registered to be accessed by those not logged in to WordPress:
add_action('wp_ajax_nopriv_shareaholic_sdk_info', array('ShareaholicPublic', 'sdk_info')); |
The function debug_info() is accessible to even those not logged in WordPress while providing access to a lot of information that looks like it may not really be something that should be being made public by the plugin (for example which plugins are active and details of the CURL version installed), so it seem like it might make sense to limit access to that to only high level users.
The functions permalink_list() and permalink_info() also look like they may not need to be accessed as widely as the plugin is allowing.
The function accept_terms_of_service() looks like it should contain a capabilities check and protection against cross-site request forgery (CSRF), though there isn’t much security risk due to those being missing, due to it simply be used to indicate that the terms of service have been accepted.
Unwarranted Requests to Third-Party Websites
The plugin’s admin pages load content related to the service the plugin works with, but it seems that the plugin may be violating the guidelines of the Plugin Directory in loading things that are not necessary for that. As a visible example of that, in the footer of each page the plugin loads a page from Facebook to show a like button:
Lack of Protection Against Direct Access to PHP Files
The plugin’s files other than the main file, /shareaholic.php, lack protection at the beginning of them to limit direct access to the files. There don’t look to be any security issues caused by the lack of that in those files at this time.