For our 39th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin FiboSearch.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 1.16.0 of FiboSearch. We checked for the following issues during it as part of our standard review:

• Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
• Deserialization of untrusted data
• Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
• Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
• Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
• Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
• SQL injection vulnerabilities (the code that handles requests to the database)
• Reflected cross-site scripting (XSS) vulnerabilities
• Security issues with functions accessible through any of the plugin’s shortcodes
• Security issues with functions accessible through the admin_action action
• Security issues with functions accessible through the admin_init action
• Security issues with functions accessible through the admin_post action
• Security issues with import/export functionality
• Security issues with usage of the is_admin() function
• Security issues with usage of the add_option(), delete_option(), and update_option() functions
• Security issues with usage of the update_user_meta() and wp_update_user () functions
• Security issues with usage of the extract() function
• Lack of IP address validation
• CSV injection
• Host header injection vulnerabilities
• Lack of protection against unintended direct access of PHP files
• Insecure and unwarranted requests to third-party websites
• Any additional possible issues identified by our Plugin Security Checker

Results

We found that in the plugin’s code from the developer, there were several minor instances of a vulnerability and places where security could be improved. We contacted the developer about the results through their website on February 9. They replied the next day that they would address the issues in the next release of the plugin. The day after that they pre-released changes to address the issues, which they asked us to review, which we did and confirmed they addressed the issues. Today, the version addressing the issues, 1.17.0 was released.

The plugin contains the Freemius library, and we found additional security issues related to that library.

Cross-Site Request Forgery (CSRF)

In three AJAX accessible functions, the code lacked a nonce check to prevent cross-site request forgery (CSRF). Based on what is accessible through those, that doesn’t seem to be a big concern. The functions are toggleAdvancedSettings() in the file /includes/Settings.php, as well as the function dismissNotice() in the files /includes/Admin/Promo/FeedbackNotice.php and /includes/Admin/RegenerateImages.php.

That was addressed by checking for a valid nonce (and sending a valid nonce when the plugin is accessing them):

853

check_ajax_referer( 'dgwt_wcas_advanced_options_switch' );

Sanitization, Validation, and Escaping

With the function updateNavMenuItem() in the file /includes/EmbeddingViaMenu.php, user input was being brought in and saved without sanitizing or validating the value:

104
105
106
107
108

$layout = isset( $_POST['menu-item-dgwt-wcas-layout'][ $menu_item_db_id ] ) ? $_POST['menu-item-dgwt-wcas-layout'][ $menu_item_db_id ] : '';
update_post_meta( $menu_item_db_id, '_menu_item_dgwt_wcas_layout', $layout );
 
$searchIconColor = isset( $_POST['menu-item-dgwt-wcas-search-icon-color'][ $menu_item_db_id ] ) ? $_POST['menu-item-dgwt-wcas-search-icon-color'][ $menu_item_db_id ] : '';
update_post_meta( $menu_item_db_id, '_menu_item_dgwt_wcas_search_icon_color', $searchIconColor );

Only high-level users have access to that, so that wasn’t a big concern.

That was addressed by adding sanitization:

104

$layout = isset( $_POST['menu-item-dgwt-wcas-layout'][ $menu_item_db_id ] ) ? sanitize_key( $_POST['menu-item-dgwt-wcas-layout'][ $menu_item_db_id ] ) : '';

107

$searchIconColor = isset( $_POST['menu-item-dgwt-wcas-search-icon-color'][ $menu_item_db_id ] ) ? sanitize_hex_color( $_POST['menu-item-dgwt-wcas-search-icon-color'][ $menu_item_db_id ] ) : '';

In the function shop_page_link(), in the file /includes/Integrations/Themes/Woodmart/Woodmart.php, there was the following line:

36

$link = add_query_arg( 'dgwt_wcas', wc_clean( $_GET['dgwt_wcas'] ), $link );

It wasn’t clear how that value would ultimately be used since it involves code not included in the plugin, but escaping the URL there might have made sense, as the code is adding user input with a sanitization function that doesn’t restrict malicious input for the context of a URL.

That was addressed by removing the user input:

36

$link = add_query_arg( 'dgwt_wcas', '1', $link );

Lack of Protection Against Direct Access to PHP Files

Most of the plugin’s .php files that didn’t appear to be intended to be directly accessed contained protection against direct access, but a few were missing that. We didn’t see anything that could be exploited in the files without the restriction in place, but restricting access to them would ensure that there isn’t any issue with that.

The issue was addressed by adding the protection to the files missing it.