01 Aug

Post Deletion Vulnerability in Woody ad snippets

The latest version of Woody ad snippets includes the changelog entry “Fixed: Some issues with plugin security.”. We are currently in the process of getting a better handle of the full impact of a security issue fixed in that version, while we continue to do that we thought it prudent to move ahead with disclosures of another related vulnerability we found while looking into that, which hasn’t been fixed. Considering the multiple issues that lead to this additional vulnerability, we would recommend against using the plugin until it has been more fully reviewed for security issues.

In the file /admin/includes/class.actions.snippet.php the plugin registers the function adminInit() from that file to run during admin_init:

add_action( 'admin_init', array( $this, 'adminInit' ) );

That means that it can be run even by those not logged in to WordPress. That is often a problem because developers have frequently had code run in that that is only intended to be accessed by the highest level WordPress users, Administrators.

That function allows two actions to be taken. Exporting one of the plugin’s snippets or deleting a WordPress post:

333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
public function adminInit() {
	$post   = WINP_Plugin::app()->request->get( 'post', 0 );
	$action = WINP_Plugin::app()->request->get( 'action', '', 'sanitize_key' );
 
	if ( ! empty( $action ) && ! empty( $post ) ) {
		$ids = is_array( $post ) ? $post : array( absint( $post ) );
		switch ( $action ) {
			case 'export':
				$nonce = WINP_Plugin::app()->request->get( 'nonce', '' );
				if ( wp_verify_nonce( $nonce, 'winp_export_snippet' ) ) {
					$this->exportSnippets( $ids );
				}
				break;
			case 'close':
				wp_delete_post( $ids[0] );

Posts in this context refers not just to blog posts, but to anything stored as a post, which includes pages and various data from plugins, like the snippet for this plugin.

When doing an export there is a nonce check, to prevent cross-site request forgery (CSRF), but pointing to the poor handling of security, that isn’t checked for during deletion. There also should be a capabilities check before allowing deletion and a check to make sure what is being deleted is the intended type of post.

Full Disclosure

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof of concept will delete the specified post.

Make sure to replace “[path to WordPress]” with the location of WordPress and “[post ID]” with ID of the post to be deleted.

http://[path to WordPress]/wp-admin/admin-post.php?action=close&post=[post ID]

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.