One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now brought similar monitoring to the Plugin Directory for the WordPress fork ClassicPress. That directory includes both plugins developed for ClassicPress and some plugins directly from the WordPress Plugin Directory.
The structure of ClassicPress’ directory is different, so instead of checking over the changes being made as we can do with WordPress, we check over all the plugins we can download at regular intervals. At this point we can not process them all in an automated way because of a couple of issues with easily getting access to the download links (those might be in the process of being resolved), but we were able to check a significant number of them earlier this week and none of them had any code that was flagged.
We also ran the ClassicPress plugins gathered by that process through our Plugin Security Checker, which flags the possibility of additional less serious issues. In doing that we found several plugins that could use a security improvement and one, To Twitter, that contained a minor reflected cross-site scripting (XSS) vulnerability. The developer resolved the issue the same day. (We are in the process of reviewing issues identified by that tool in WordPress plugins that are in ClassicPress’ directory.)
Reflected Cross-Site Scripting (XSS)
When the To Twitter plugin was run through our Plugin Security Checker the tool flagged this code:
The issue there is that in the file /includes/send_manual_tweet_page.php user input in the form of the POST input “reply-to” was set to the variable $reply_to without being sanitized:
$reply_to = $_GET['reply-to'];
And then output without being escaped:
echo '<input type="hidden" name="reply-to" value="'.$reply_to.'" />';
In the version 1.17.1 escaping was added:
echo '<input type="hidden" name="reply-to" value="'.esc_attr($reply_to).'" />';
Proof of Concept
The following proof of concept will cause any available cookies to be shown in an alert box, when logged in as an Administrator. In Safari and other web browsers that provide XSS filtering this proof of concept will not work.
Replace “[path to ClassicPress]” with the location of ClassicPress.
http://[path to ClassicPress]/wp-admin/admin.php?page=azrcrv-tt-smt&reply-to="><script>alert(document.cookie)</script>
- June 1, 2021 – Developer notified.
- June 1, 2021- Version 1.17.1 released, which fixes the vulnerability.
- June 2, 2021 – Developer responds.