25 May

WP User Avatar/ProfilePress and the Security Implications of Repurposing a WordPress Plugin

Last week one of the most popular WordPress plugins, WP User Avatar, was repurposed to become ProfilePress. Here is how Justin Tadlock at the WordPress Tavern, described the change in the plugin:

Instead of a simple, single-purpose custom avatar solution, it is a full-fledged user registration, profile, login, and membership management plugin.

That happened with a plugin that has 400,000+ active installations.

Not surprisingly, many people were not happy about that:

In the past 48 hours, the plugin has received a staggering 60+ one-star reviews — and counting. The WordPress.org support team has already had to close two forum topics. A review titled “Unexpected changes, expected reactions” sums up the situation.

There are more complaints in the comments on WordPress Tavern’s post, including complaints about the problematic moderators of WordPress’ support forum (it’s telling that the person defending the moderators there is a moderator and didn’t clearly disclose it).

Another problem with this type of repurposing is that it can significantly change the security risk of the plugin. That is the case with this plugin, as can be seen with the very different results of running the last version of WP User Avatar and latest version of ProfilePress through our Plugin Security Checker.

WP User Avatar results:

This plugin is extracting potentially untrusted user input from shortcode attributes. The documentation of PHP warns against doing extraction of untrusted user input due to the security risk involved in that. Its usage is also officially discouraged by the coding standards for WordPress. [+] Show details

ProfilePress results:

User input is being passed to a function that executes it, which could lead to remote code execution (RCE). [+] Show details User input is being directly output, which could lead to reflected cross-site scripting (XSS). [+] Show details User input looks to be being output without being validated, sanitized, or escaped, which could lead to reflected cross-site scripting (XSS). [+] Show details This plugin is extracting potentially untrusted user input from shortcode attributes. The documentation of PHP warns against doing extraction of untrusted user input due to the security risk involved in that. Its usage is also officially discouraged by the coding standards for WordPress. [+] Show details The plugin registers one or more AJAX actions to be accessible whether the requester is logged in to WordPress or not. Those registrations should be checked to make sure that they are intended to be accessed by those not logged in. [+] Show details This plugin may be vulnerable to host header injection due to use of server variables that can rely on the user specified Host header. [+] Show details

Something being flagged by that tool doesn’t mean that there is  a security issue, much less a vulnerability, but we have already confirmed a couple of vulnerabilities in the plugin based on proactive monitoring of changes made to WordPress plugins we do. Another piece of code flagged by the Plugin Security Checker is insecure in a strange way, as the developer fails to escape user input in the code even though in the same line they escape a variable:

User input is being directly output, which could lead to reflected cross-site scripting (XSS). File: /wp-user-avatar/src/Admin/SettingsPages/ShortcodeBuilder/EditShortcodeEditProfile/edit_screen.php Code: 63 <textarea name="eup_success_edit_profile" id="message_success"><?php echo isset($_POST['eup_success_edit_profile']) ? $_POST['eup_success_edit_profile'] : stripslashes(esc_textarea($success_message)); ?></textarea>

In interview The WP Minute did with the developer, they described themself this way:

I run a small WordPress development studio called Proper Fraction where we basically make WordPress plugins. I started out teaching WordPress programming and development on sites such as SitePoint, Tuts+, Designmodo, Smashing Magazine.

So you have someone that seems to be unable to handle basic security that is not only running a company that makes WordPress plugins, but they are teaching others how to program. Is it any wonder that WordPress plugins are so insecure?