22 Aug

GDPR Plugins for WordPress Continue to Be Insecure

The European Union’s General Data Protection Regulation (GDPR) is a data protection law that when it comes to WordPress websites is causing them to be less secure, not because of the law itself, but because the plugins for dealing with that haven’t been properly secured. In October of last year we noted that the plugin WP DSGVO Tools (GDPR) contained a PHP object injection vulnerability, which then remained in the plugin for two more months. The plugin was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service we found the possibility of one of those, though the relevant code that makes it operational looks to only be available in the commercial version of the plugin. We did confirm a less serious related vulnerability exists.

With just the vulnerability we confirmed there are multiple pretty obvious security problems, so there likely are more security issues with the plugin.

We wouldn’t recommend using this plugin or another GDPR plugins unless they have gone through a security review, mainly because of the continuing security issues with them (we will be disclosing details of vulnerabilities in other more popular ones soon), but also software that is supposed to protect data privacy should confirmed to be secured itself before being used.

Details

In the file /admin/tabs/common-settings/class-sp-dsgvo-common-settings-action.php the plugin calls the listen() function from the class SPDSGVOCommonSettingsAction:

43
SPDSGVOCommonSettingsAction::listen();

That registers the run() function from the file to be accessible through WordPress’ AJAX functionality:

66
67
68
69
70
71
72
73
74
public static function listen($public = TRUE){
	$actionName = self::getActionName();
	$className = self::getClassName();
	add_action("wp_ajax_{$actionName}", array($className, 'boot'));
 
	if($public){
		add_action("wp_ajax_nopriv_{$actionName}", array($className, 'boot'));
	}
}

Inexplicably that is done in a way that makes that function accessible to those not logged in to WordPress. That is in explicable because the first thing the function does is to restrict access to those logged in to WordPress as an Administrator:

8
9
10
11
12
protected function run()
{
	$this->requireAdmin();
 
	SPDSGVOSettings::set('admin_email', $this->get('admin_email', ''));
98
99
100
101
102
103
public function requireAdmin(){
	if(!current_user_can('administrator')){
		echo '0';
		die;
	}
}

What is missing there is a check for a valid nonce, which is used to prevent cross-site request forgery (CSRF). So an attacker could cause a logged in Administrator to change the settings without intending it.

The plugin does have a CSRF check function, though it doesn’t involve the WordPress functions that should be used for that:

105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
public function checkCSRF(){
	if(!$this->has('CSRF')){
		echo '1. CSRF ERROR';
		die;
	}
 
	if(!$this->user instanceof WP_User){
		echo '2. CSRF ERROR';
		die;
	}
 
	if($this->get('CSRF', '') !== get_user_meta($this->user->ID, 'sp_dsgvo_CSRF_token', TRUE)){
		echo '3. CSRF ERROR';
		die;
	}
 
 
	update_user_meta($this->user->ID, 'sp_dsgvo_CSRF_token', wp_generate_password(20, FALSE, FALSE));
 
	return TRUE;
}

Right after restricting access to an Administrator the code saves the value of the GET input “admin_email” to one of the plugin’s settings without sanitizing it:

181
182
183
184
185
186
187
188
189
190
public function get($key, $default = NULL, $stripslashes = TRUE){
	if($this->has($key)){
 
		if(is_array($this->request[$key])){
			return $this->request[$key];
		}
 
		if($stripslashes){
			return stripslashes($this->request[$key]);
		}
281
282
283
public static function set($property, $value){
	update_option('sp_dsgvo_'.$property, $value);
}

When the value is output on the plugin’s settings page it isn’t escaped:

78
value="<?= SPDSGVOSettings::get('admin_email');  ?>">

So by setting malicious JavaScript code in to that setting cross-site scripting (XSS) can occur.

Full Disclosure

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information, can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof concept will cause an alert box with any available cookies to be shown when accessing the page /wp-admin/admin.php?page=sp-dsgvo, when logged in as Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin-ajax.php?action=admin-common-settings&admin_email="><script>alert(document.cookie);</script>

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.