Yoast SEO Founders Fund Collaboration Platform That Opens WordPress Websites to Having All Their Users Deleted
One of the most unsavory elements of the WordPress community is all the people that promote themselves as being community focused while seeming to be much more interested in how they can sell off what they provide to the highest bidder, leaving their users and customers holding the bag. There is nothing wrong about running a business, but claiming that you are about the community and then selling yourself to someone that is known to be engaged in shady business practices, like the Orweillian-named Awesome Motive. At the same time, a well-funded developer could potentially provide better solutions. One area were things are in need of significant improvement is security. Unfortunately, based on a plugin we recently ran across a serious vulnerability in, it doesn’t appear that funders in the WordPress space care about security. The plugin comes from Atarim, which touted being funded by investors with a WordPress background in September:
Even though Atarim’s visual collaboration tools are now available for any website, WordPress has been our home from day 1, and having such an inspiring group of investors, each with their own success stories in the WP space, we’re going to continue supporting and championing the community. Now, in even more ways than we could before.
The first paragraph of the post that comes from emphasizes acquisitions:
I’m excited to announce that we have completed our initial funding round, led by Joost de Valk and Marieke van de Rakt, of Emilia Capital and the founders of Yoast SEO (acquired by Newfold Digital), and supported by Devin Walker, co-founder of GiveWP (acquired by StellarWP of Liquid Web), Andrew Palmer, co-founder of Bertha.ai and ex Elegant Marketplace (acquired by inMotion hosting), and an angels group led by Matt Russell, former co-founder of Hosting/EasyWP at Namecheap.
First and foremost among the funders are the founders of Yoast SEO, which provided funding through Emilia Capital. On the website for that, the same person who wrote Atarim’s post said this:
Finding the right investor is not an easy task. It’s not just about the money, but finding the right team that will support your journey and vision and ideally, even walked a similiar path to advise the founders with the best next step when challeges arise. With Marieke and Joost, we couldn’t ask for a better PIF (Product-Investor-Fit)!
So the involvement of the Yoast founders was being promoted as more than just providing funds.
As detailed in a separate post, a recent improvement to proactive monitoring we do to catch serious vulnerabilities in WordPress plugins led us to finding that Atarim’s WordPress plugin currently allows anyone to delete all of a WordPress website’s user accounts. That isn’t good.
The vulnerability has only been in the plugin a month, but the plugin has contained easy to spot vulnerabilities that have existed since the first version of the plugin in the WordPress Plugin Directory, which was release 15 days after the funding post. The version number on that is 3.2 and the copyright is listed as 2021, so presumably the plugin and the issues predate the funding.
One common starting point for widely exploited vulnerabilities in WordPress plugins is functionality that is registered to run during an admin post request. Version 3.2 has two such functions:
336 | add_action( 'admin_post_save_wpfeedback_options', 'process_wpfeedback_options' ); |
461 | add_action( 'admin_post_save_wpfeedback_misc_options', 'process_wpfeedback_misc_options' ); |
Both of those are for saving settings (options). Insecure functionality for saving settings is commonly functionality that is widely exploited by hackers.
Those functions are registered so that anyone logged in to WordPress can access them, so there should be a capabilities check to further limit access. The first function includes that before doing anything else:
251 252 253 254 255 256 257 258 | function process_wpfeedback_options() { $options = []; // Check that user has proper security level if ( ! current_user_can( 'manage_options' ) ) { wp_die( 'Not allowed' ); } if ( ! empty( $_FILES ) ) { |
The second doesn’t include one at the beginning (or elsewhere) in its code:
345 346 347 348 | function process_wpfeedback_misc_options() { $options = []; if ( isset( $_POST['edd_license_deactivate'] ) ) { update_option( 'wpf_license', 'invalid', 'no' ); |
So with the second, anyone logged in can make the settings changes handles by the function.
For the first, it also is vulnerable as there isn’t a nonce check to prevent cross-site request forgery (CSRF), so an attacker could cause someone logged in with the needed capability to take the action without intending it. That is an issue in at least one other place in the plugin.
That insecurity still exist as of the current version of the plugin.