Login
20 Jan 2023

Not Really a WordPress Plugin Vulnerability, Week of January 20

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Open Redirect in WPtouch

A claim of an open redirect vulnerability in the latest version, 4.3.47, of the plugin WPtouch was released this week. The only evidence for that claim was a proof of concept:

?wptouch_switch=desktop&redirect=https://packetstormsecurity.com/&nonce=9d69c21a5a

There is a nonce included in that, which likely indicated that there wasn’t really a vulnerability, as if a valid nonce is checked for, that proof of concept would fail for anyone other than the person doing testing since the nonce would not be valid.

The relevant code exists in the function analyze_user_agent_string() in the file /core/class-wptouch-pro.php, where a valid nonce is checked for before doing the redirect:

1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130

function analyze_user_agent_string() {
	// check and set cookie
	if ( isset( $this->get['wptouch_switch'] ) ) {
		$expires_time = time()+3600*24*365; // 365 days
		setcookie( WPTOUCH_COOKIE, $this->get['wptouch_switch'], $expires_time, '/' );
 
		if ( isset( $_COOKIE[ WPTOUCH_CACHE_COOKIE ] ) ) {
			if ( $this->get[ 'wptouch_switch' ] == 'desktop' ) {
				setcookie ( WPTOUCH_CACHE_COOKIE, 'mobile-desktop', $expires_time );
			} else {
				setcookie ( WPTOUCH_CACHE_COOKIE, 'mobile', $expires_time );
			}

So there isn’t a vulnerability there as the redirect won’t occur without a nonce valid for the requestor, which someone trying to cause a redirect wouldn’t have.

No related posts.

Leave a Reply

Your email address will not be published.