04 Jun

Our First Check of the Security of ClassicPress Plugins Found a Minor Vulnerability

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now brought similar monitoring to the Plugin Directory for the WordPress fork ClassicPress. That directory includes both plugins developed for ClassicPress and some plugins directly from the WordPress Plugin Directory.

The structure of ClassicPress’ directory is different, so instead of checking over the changes being made as we can do with WordPress, we check over all the plugins we can download at regular intervals. At this point we can not process them all in an automated way because of a couple of issues with easily getting access to the download links (those might be in the process of being resolved), but we were able to check a significant number of them earlier this week and none of them had any code that was flagged.

We also ran the ClassicPress plugins gathered by that process through our Plugin Security Checker, which flags the possibility of additional less serious issues. In doing that we found several plugins that could use a security improvement and one, To Twitter, that contained a minor reflected cross-site scripting (XSS) vulnerability. The developer resolved the issue the same day. (We are in the process of reviewing issues identified by that tool in WordPress plugins that are in ClassicPress’ directory.)

Reflected Cross-Site Scripting (XSS)

When the To Twitter plugin was run through our Plugin Security Checker the tool flagged this code:

User input looks to be output without being validated, sanitized, or escaped, which could lead to reflected cross-site scripting (XSS).      File: /azrcrv-to-twitter/includes/send_manual_tweet_page.php     Code:     51     	     echo '<input type="hidden" name="reply-to" value="'.$reply_to.'" />';     Unsecured Variable:     $reply_to     User input assigned to variable:     23     	     $reply_to = $_GET['reply-to'];

The issue there is that in the file /includes/send_manual_tweet_page.php user input in the form of the POST input “reply-to” was set to the variable $reply_to without being sanitized:

23
$reply_to = $_GET['reply-to'];

And then output without being escaped:

51
echo '<input type="hidden" name="reply-to" value="'.$reply_to.'" />';

In the version 1.17.1 escaping was added:

51
echo '<input type="hidden" name="reply-to" value="'.esc_attr($reply_to).'" />';

Proof of Concept

The following proof of concept will cause any available cookies to be shown in an alert box, when logged in as an Administrator. In Safari and other web browsers that provide XSS filtering this proof of concept will not work.

Replace “[path to ClassicPress]” with the location of ClassicPress.

http://[path to ClassicPress]/wp-admin/admin.php?page=azrcrv-tt-smt&reply-to="><script>alert(document.cookie)</script>

Timeline

  • June 1, 2021 – Developer notified.
  • June 1, 2021- Version 1.17.1 released, which fixes the vulnerability.
  • June 2, 2021 – Developer responds.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.