Hacker Targeted WooCommerce Stock Manager Still Lacking Basic Security After Wordfence Checked Plugin
As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website on Saturday for the plugin WooCommerce Stock Manager by requesting this file:
/wp-content/plugins/woocommerce-stock-manager/readme.txt
We are not aware of any recently disclosed vulnerabilities that should be something that hackers would target, which could explain that. But in June Wordfence disclosed a minor vulnerability in the plugin in the plugin that they falsely claimed was a “high severity vulnerability” in the title and body of their post. (Wordfence recently acknowledged they are overstating the impact of vulnerabilities, while continuing to do it.) That might explain a hacker’s interest, if they did not understand that the vulnerability was not really a serious issue. We had warned our customers of that vulnerability in May.
While reviewing the plugin to make sure there wasn’t something else that a hacker might target in the plugin, we found the plugin is still lacking basic security, something that Wordfence appears to have missed. The Wordfence employee cited as having discovered the vulnerability recently fixed in the plugin, was also recently quoted by the WP Tavern, making the claim that WordPress plugins are getting more secure:
“Speaking from experience as I spend a lot of my time looking for vulnerabilities in WordPress plugins, things have definitely been getting more secure from my perspective,” she said. “Today, I frequently find capability checks and nonce checks in all the right places along with proper file upload validation measures in place, and all the good stuff. It’s become harder to find easily exploitable vulnerabilities in plugins and themes that are being actively maintained which is a great thing!”
That is contrary to what we have found (and which WP Tavern didn’t want people to know) and as this plugin shows, there is plenty of evidence to the contrary. It seems like the explanation isn’t that these things are not missing, but that this person is missing that they are missing.
Information Disclosure
As an example of the lack of basic security in the plugin, take one thing that showed up in the basic checks we do of any plugin that appears to be being targeted by a hacker.
The plugin registers the function generate_csv_file(), which is located in the file /admin/class-stock-manager-admin.php, to be run when WordPress admin pages are loaded:
55 | add_action( 'admin_init', array( $this, 'generate_csv_file' ) ); |
That means that runs even for those not logged in to WordPress.
That function generates a CSV file containing information about products from a WooCommerce store, which can contain non-public information. Access to functionality should be secured using capability checks and nonce checks, which the Wordfence employee claimed they are frequently finding are in place. But instead there are no security checks in place in the function:
373 374 375 376 377 378 379 380 381 382 | public function generate_csv_file() { if(isset($_GET['action']) && $_GET['action'] == 'export') { $stock = $this->stock(); $array_to_csv = array(); //First line $array_to_csv[] = array('id','sku','Product name','Manage stock','Stock status','Backorders','Stock','Type','Parent ID'); $products = $stock->get_products_for_export(); |
That can also be confirmed with the proof of concept below.
There are other security issues in the plugin, so we would recommend not using the plugin until it has had thorough security review, and all the identified issues are resolved.
WordPress Causes Full Disclosure
Because of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.) You can notify the developer of this issue on the forum as well. Hopefully, the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).
Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
Proof of Concept
The following proof of concept will generate a CSV file with product information from the WooCommerce store on the website.
Replace “[path to WordPress]” with the location of WordPress.
https://[path to WordPress]/wp-admin/admin-post.php?action=export