Poor Security of Really Simple SSL Permits Anyone to See What Known Vulnerabilities Are on a Website
As we noted in a post last week, the Really Simple SSL WordPress plugin became popular, with 5+ million installs, as a simple WordPress plugin and then the developer started bloating it with unrelated features. One of those was adding plugin vulnerability alerts. They recently explained doing that this way:
“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next.
As we also noted, among the issues with adding unrelated features to a WordPress plugin, is that it increases the chances of security issues and therefore should be avoided if possible. That is something security experts, which is what the developers of this plugin claim to be, would know. While preparing that post, we found a security issue caused by this very feature.
While trying to refresh the data for that feature while checking into claims, which we confirmed, that the plugin was falsely claiming the current version of WordPress plugins contained vulnerabilities, we found the plugins insecurely, and seemingly oddly, stores data related to that.
When that feature is enabled, the plugin creates a new directory, really-simple-ssl, in the websites uploads directory. That would normally be located at /wp-content/uploads/really-simple-ssl/. That contains three files: components.json, core.json, and manifest.json.
While the files have a .json extension, the contents are not in the JSON format. Here are the contents we had for the core.json:
ZXlKdVlXMWxJam9pVjI5eVpGQnlaWE56SWl3aWMyeDFaeUk2SW5kdmNtUndjbVZ6Y3lJc0luUjVjR1VpT2lKM2NDMWpiM0psSWl3aWMzUmhkSFZ6SWpvaWJHRjBaWE4wSWl3aWNtVmhjMjl1WDJOc2IzTmxaQ0k2Ym5Wc2JDd2lkblZzYm1WeVlXSnBiR2wwYVdWeklqcGJYU3dpZG1WeWMybHZiaUk2SWpZdU1pNHlJbjA9NTlmMTQzNDY3NzFjOWVkYTcwODc2ZGI2ZjA1NTVlNTQ=
That looks like it might be base64 encoded data. That raises concerns, as hackers have frequently hidden malicious content using that type of encoding.
Decoding that gets this:
eyJuYW1lIjoiV29yZFByZXNzIiwic2x1ZyI6IndvcmRwcmVzcyIsInR5cGUiOiJ3cC1jb3JlIiwic3RhdHVzIjoibGF0ZXN0IiwicmVhc29uX2Nsb3NlZCI6bnVsbCwidnVsbmVyYWJpbGl0aWVzIjpbXSwidmVyc2lvbiI6IjYuMi4yIn0=59f14346771c9eda70876db6f0555e54
That again looks like it might be base64 encoded data.
Decoding that gets this:
{"name":"WordPress","slug":"wordpress","type":"wp-core","status":"latest","reason_closed":null,"vulnerabilities":[],"version":"6.2.2"}9xߎW=yֻuӞy{
Based on the name of the file and the data there, that is storing data about WordPress itself. It lists the WordPress version number in use, which while shouldn’t be considered a secret. On many websites, various lengths are gone to hide that.
The two other files are similarly base64 encoded.
The contents of the manifest.json come from the website Really Simple SSL.
What seems of most concern, is the file components.json. Here are the decoded contents of that with an outdated version of the plugin User Activity Log, which contains a publicly known vulnerability:
[{"name":"User Activity Log","slug":"user-activity-log","type":"wp-plugin","status":"latest","reason_closed":null,"vulnerabilities":[{"rss_identifier":"8d543c54-ee2c-4b16-8e80-a38eccafb2ec","severity":"h","fixed_in":"1.6.5","version_from":"*","version_to":"1.6.4","operator_from":">=","operator_to":"<=","published_date":"2023-07-24T00:00:00.000000Z"}]}]{~;{ƽMgkFs
That shows information about that vulnerability.
There is no access restriction placed on those files.
So anyone, including any hacker, can see what vulnerabilities Really Simple SSL is claiming are currently on the website.
While that obviously isn’t a good thing to allow, the impact of that is limited since hackers could gather at least some of that information fairly easily and most hackers are not doing targeted attacks, which could be helped by that type of information. What seems more concerning is that on the plugin’s website the developer claims that they are “WordPress & Security Experts”, which doesn’t seem to match with implementing storage of the plugin’s data so insecurely.
Stick to Single Focus Security Plugins
It’s long been our advice to not rely on all-in-one security plugins and instead use plugins that focus on one feature. If you need multiple features, use multiple plugin. What has gone on with this plugin is a good example of what can go wrong when plugins try to do everything.
Really Simple SSL isn’t the first popular all-in-one security plugin created by developers who don’t have a great handle on security. We recently issued an advisory about another one of them because of repeated poor handling of security with their security plugin and other plugins. Another one probably deserves an advisory as well, as among other recent issues, they have failed to fix a vulnerability in one of their other plugins and they are, to put it politely, overstating the security their security plugin can provide.