We are currently working on a security review of a fairly popular WordPress plugin that we were hired by the developer to do. While working on that we have found a number of issues with the Redux Framework, which is a third-party library for handling the settings of WordPress plugins. We also noticed that it would be easy enough to add a check to our Plugin Security Checker to see if outdated versions of that are included in plugins being run through that tool, unlike a lot of third-party libraries, which don’t include a version number anywhere. While it might make sense to warn about usage of an outdated version, an outdated version is not necessarily insecure. In looking over the changelog of that we noticed the changelog for version 18.104.22.168 is:
Fixed: Reflective XSS security fix. Thanks to Kacper Szurek for the information.
That refers to this vulnerability.
To get a better idea of how widespread usage of the library was and therefore the impact of checking for outdated/insecure versions might be, we checked to see how many plugins in the WordPress Plugin Directory were using the library using the website WPDirectory. While glancing over the results we noticed that the current version of the plugin Gravity Forms Advanced File Uploader, which as has 3,000+ installs, contains version 22.214.171.124 of the library. That version contains the vulnerability.
You can now check if WordPress plugins, whether in the Plugin Directory or not, are using a version of that library from before that was fixed using our Plugin Security Checker (the tool will also check for the possibility of a variety of other security issues in the plugins).
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).
Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
Proof of Concept
See original report on the vulnerability.