For our 37th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Fast Velocity Minify.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 2.7.7 of Fast Velocity Minify. We checked for the following issues during as part of our standard review:

• Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
• Deserialization of untrusted data
• Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
• Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
• Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
• Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
• SQL injection vulnerabilities (the code that handles requests to the database)
• Reflected cross-site scripting (XSS) vulnerabilities
• Security issues with functions accessible through any of the plugin’s shortcodes
• Security issues with functions accessible through the admin_action action
• Security issues with functions accessible through the admin_init action
• Security issues with functions accessible through the admin_post action
• Security issues with import/export functionality
• Security issues with usage of the is_admin() function
• Security issues with usage of the add_option(), delete_option(), and update_option() functions
• Security issues with usage of the extract() function
• Host header injection vulnerabilities
• Lack of protection against unintended direct access of PHP files
• Insecure and unwarranted requests to third-party websites
• Any additional possible issues identified by our Plugin Security Checker

Results

We found one minor issue and one really minor issue. We notified the developer of the issues nearly three weeks ago. Two weeks ago we received a response that in part doubted that the minor issue actually existed since “The plugin was recently manually audited by the wordfence team and this didn’t come out as a security issue.” While the Wordfence team recently disclosed a vulnerability in the plugin, they made no claim to have manually audited the plugin, but if they had in fact done that they missed something they shouldn’t have. Since responding to the developer’s request for a proof of concept for the vulnerability shortly after they had originally responded, we have not heard back from the developer and the issues have not been resolved.

Cross-Site Request Forgery (CSRF)

The plugin’s fastvelocity_purge_onsave() function is registered to during “admin_init”, so it runs when accessing any admin page:

189

add_action('admin_init', 'fastvelocity_purge_onsave', 1);

If the user making the request is logged in as Administrator and the requests includes the POST input “fastvelocity_min_save_options” the functions fvm_purge_all() and fvm_purge_others(), which clear cache’s run:

159
160
161
162
163
164

function fastvelocity_purge_onsave() {
	if(current_user_can( 'manage_options') && isset($_POST['fastvelocity_min_save_options'])) {
		fvm_purge_all();
		fvm_purge_others();
	}
}

There should a nonce check to prevent cross-site request forgery (CSRF) when doing that. Unless there was something additional of security caused by running those cache clearing functions, the impact of that is limited to causing an unintended clearing of the caches.

Lack of Protection Against Direct Access to PHP Files

Most of the plugin’s .php files that don’t appear to be intended to be directly accessed do not contain protection against direct access. We didn’t see anything that could be exploited in the files without the restriction in place, but restricting access to them would insure that there isn’t any issue with that.