24 May

While Looking Into One Vulnerability Being Fixed in a WordPress Plugin, We Found Another One

The plugin Side Menu was closed on the WordPress Plugin Directory on Wednesday. On Friday a new version was submitted with the changelog entry “Fixed: Security parameters”. While checking over the vulnerability that was fixed in that version, we found yet another vulnerability still exists in the plugin. That vulnerability being a cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability.

Based on this vulnerability we have improved our Plugin Security Checker’s detection of LFI vulnerabilities to flag code like the code that is in this plugin. So you can check plugins you use to see if they might have similar issues with that tool.

When accessing the plugin’s admin page, which is restricted to Administrators, the file /admin/partials/main.php is loaded:

function add_menu_page() {
	add_submenu_page( 'wow-company', $this->name, $this->name, 'manage_options', $this->pluginname, array(
	) );
function plugin_admin() {
	$name       = $this->name;
	$pluginname = $this->pluginname;
	$version    = $this->version;
	global $wow_company_plugin;
	$wow_company_plugin = true;
	include_once( 'admin/partials/main.php' );

In that file, the value of the GET or POST input “tool” is set to the value of the variable $tool:

$tool     = ( isset( $_REQUEST["tool"] ) ) ? sanitize_text_field( $_REQUEST["tool"] ) : 'list';

And then that variable is used to specify a file to be included:

include_once( $tool . '.php' );

An Administrator can already do the equivalent of that, but an attacker could cause them to do that without intending to through CSRF, as confirmed with the proof of concept below.

There is another possible instance of this elsewhere in the plugin.

WordPress Causes Full Disclosure

Because of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully, the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

The following proof of concept will cause a file named test.php in the root directory of the WordPress installation to be included, when logged in as an Administrator.

Replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=side-menu&tool=../test

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.