One of the realities when it comes to security surrounding WordPress is that many companies market themselves as caring about security while not really caring about it. Sometimes they even join forces.

Yesterday we mentioned one security provider Patchstack, in the context of they and their Red Team not having a basic understanding of WordPress security. While looking more into Patchstack we found that last week they announced a partnership with 10Web. The claims made by 10Web in that announcement are in direct conflict with what we have seen from them in trying to work with them to fix a security vulnerability in one of their plugins, and what we have seen of Patchstack. We also found that at least one more of their plugins, with 300,000+ installs, also contains the same vulnerability we have tried to work with them to fix in one of their plugins.

Some of the claims made by 10Web in that announcement stand out (some of it sounds more like something that was really written by Patchstack, though):

As a hosting and site-building platform, 10Web needs to ensure its customers have the best security on their websites. Even those customers, who are not professional developers or security experts.

10Web has experienced engineers and security team. But still, we consider a partnership with Patchstack, who are experts in WordPress security, essential.

Collaboration with external experts is a sign of maturity of a business.

This is a great platform that directly connects security experts to WordPress plugin developers. The expertise level of the Patchstack Red Team is high.

We appreciate well-prepared specific vulnerability reports. Our engineers can fix them easily without ineffective back-and-forth communication. The collaborative format of the platform is great for discussions and feedback.

We like that Patchstack Red Team started small and they have a proven high level experts track. It is not an easy task to scale the team without losing the quality but we are sure that Patchstack will succeed and eventually there will be thousands of WordPress security experts there.

Yes, we are sure it can. The same security challenges caused by WordPress being open-source can be addressed using the similar and well-directed community efforts of experts.

Patchstack has the potential to contribute significantly to maintaining the high-level security of WordPress plugins and themes.

As we mentioned before, Patchstack and their Red Team lack a basic understanding of WordPress security, so either 10Web doesn’t have any idea about them or is lying. Neither is a good option.

Unfixed Vulnerability

On May 31, 10Web released a new version of their plugin Event Calendar WD, with the changelog indicating a cross-site scripting (XSS) vulnerability was fixed, “Fixed: XSS vulnerability.” As we detailed for our customers the next day, we found that the changed didn’t fix a vulnerability and the code was still vulnerable. We didn’t even understand how the change being made was supposed to fix a vulnerability. That seems to point against 10Web having an experienced security team.

We then attempted to get in touch with them to try to get the vulnerability resolved. That was difficult as they didn’t have any information on how to contact them about security issues or an easy way to contact them if you are not a customer of theirs. We did find that they offer a security service, which includes statements that don’t match with what have seen either:

The Most Trustable WordPress Security Service

Do you need ultimate website protection?

Do you want to secure your website from hackers?

Is fixing website vulnerabilities complicated?

Scan your website for any vulnerabilities or security issues.

We eventually were able to get in touch with them and found out that they had a security contact email address. It took them over three days to respond when we contacted that, which isn’t a great response time. The response was worse. This was the response we got:

We had some vulnerabilities in Event Calendar WD, that were fixed in the latest version 1.1.45. Can you confirm that the vulnerabilities you discovered are in that or later versions?
Can you please provide more detailed info on the issues?

That didn’t make sense. We had specified that we have found that the latest version didn’t fix the vulnerability attempting to be fixed. Also, version 1.1.45 was the latest version, so there couldn’t be a later version that we could confirm it was in.

We also had provided plenty of detail, so a vague request for more detail didn’t make sense, nor would it be something that we could really respond to. In a bit more back and forth we provided them with a couple of proof of concept to confirm the issue was unresolved.

It has been over two weeks and the issue hasn’t been resolved and we haven’t heard back from them.

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Photo Gallery

In the meantime another of their plugins Photo Gallery, which has 300,000+ installs, had an update with a changelog entry “Fixed: XSS vulnerability.”. We thought that might be related to the vulnerability in Event Calendar WD. Instead, it was something else, which doesn’t look to be have been a vulnerability. We also found that the same unfixed vulnerability existed in this plugin.

The plugin’s code is incredibly complicated (which seems like a security concern), so we won’t try to explain the whole set of code that gets to the vulnerability. The short version is that when using the plugin’s shortcode “Best_Wordpress_Gallery” at least the “id” attribute is output on the page without being escaped, allowing for JavaScript code on to the page, otherwise known as cross-site scripting (XSS). Escaping is a really basic part of security, so you wouldn’t expect someone with an experienced security team to have an issue with that. That isn’t a security issue for users with the unfiltered_html capability, Administrators and Editors by default, but it is for Author level users.

The lack of escaping that is at play with the proof of concept below, comes on the following line in the file /frontend/views/view.php:

80

data-shortcode-id="<?php echo isset($params['id']) ? $params['id'] : 0; ?>"

The rest of the code around that also is lacking escaping, here are the next five lines, which are all missing escaping:

81
82
83
84
85

data-gallery-type="<?php echo $params['gallery_type']; ?>"
data-gallery-id="<?php echo $params['gallery_id']; ?>"
data-tag="<?php echo $params['tag']; ?>"
data-album-id="<?php echo $params['album_id']; ?>"
data-theme-id="<?php echo $params['theme_id']; ?>"

The same type of issue could exist in other of their plugins.

WordPress Causes Full Disclosure

Because of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.) You can notify the developer of this issue on the forum as well. Hopefully, the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.

Proof of Concept

Creating one gallery in the plugin. Then as an Author level (higher level users have the capability to the equivalent of XSS), create a new post with the  following shortcode. When mousing over the content on the page from Photo Gallery on the resulting page, an alert box with any available cookies will be shown.

[Best_Wordpress_Gallery id='1" onmouseover="alert(document.cookie);']

Concerned About The Security of the Plugins You Use?

Plugin Security Scorecard Grade for Patchstack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Photo Gallery

See issues causing the plugin to get less than A+ grade