Login
30 Oct 2023

Hacker Appears to Wrongly Target WordPress Plugin Based on Patchstack’s Inaccurate Info on Vulnerability

On Saturday, a hacker was widely probing for usage of the WordPress plugin Thumbnail Slider With Lightbox. That was somewhat odd, as the plugin only has 1,000+ installs according to WordPress and in our data set of claimed vulnerabilities in the plugin, there were only claims of really minor vulnerabilities. So what explained their interest?

One thing that is abundantly clear based on monitoring we do is that hackers are focusing a lot on trying to exploit vulnerabilities highlighted by data providers we compete with. There is a sometimes uncomfortable relationship between these providers and hackers. For example, one of them is willing to sell information to hackers about vulnerabilities before they notify developers.

Relying on those providers has downsides for the legitimate users of their data, as they frequently get even basic details wrong about vulnerabilities. Oftentimes because they are simply copying information from other providers. In a worse case scenario earlier this year, this led to their customers being told an unfixed vulnerability being widely exploited had been fixed three months before.

Those two things appear to explain the hacker’s interest. On Saturday, one of those providers, Patchstack, publicly claimed there had been an arbitrary file upload vulnerability in the plugin and described it this way:

Ala Arfaoui discovered and reported this Arbitrary File Upload vulnerability in WordPress Thumbnail Slider With Lightbox Plugin. This could allow a malicious actor to upload any type of file to your website. This can include backdoors which are then executed to gain further access to your website. This vulnerability has been fixed in version 1.0.1.

That would be something that hackers would target.

The only sourcing for that claim is a link to another provider, Wordfence, who days before wrote a misleading description of a real, but really old, vulnerability that had been in the plugin:

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the addedit functionality. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

What they are talking about, cross-site request forgery (CSRF), causes someone to take an action they can take, but didn’t intend to. So in this case, someone logged in to WordPress with the Administrator role could upload an arbitrary file without intending it. An attacker couldn’t upload anything there. An Administrator can intentionally upload arbitrary files even without the plugin installed.

While it is possible that a CSRF vulnerability in a WordPress plugin could be exploited, we have yet to even hear claims that has ever occurred on a wide scale. Making an issue like this is of limited concern.

Wordfence also claimed that the vulnerability had a CVSS severity score of 9.6 out of 10, which is way too high. So either they made a mistake or the scoring system they use provides highly inaccurate scores.

What makes this all the stranger is that the change Wordfence links to as being the evidence of that is from October 2015. Why they are claiming that some researcher found the vulnerability 8 years later is unclear.

To make sure there wasn’t something more serious at play here, which led to Patchstack’s claim, let’s quickly take a look at the vulnerable code.

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload

The vulnerable code existed in the function responsive_thumbnail_slider_with_lightbox_admin_options_func() in the file /wp-responsive-slider-with-lightbox.php, which was accessed through the plugin’s admin page. To access that, you had to be logged in as an Administrator:

100

$hook_suffix_r_l=add_menu_page( __( 'Responsive Slider plus Lightbox'), __( 'Responsive Slider plus Lightbox' ), 'administrator', 'responsive_thumbnail_slider_with_lightbox', 'responsive_thumbnail_slider_with_lightbox_admin_options_func' );

In that function, there was this code that would upload a file sent with a request without any restrictions on what type of file it is:

859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902

if(isset($_POST['btnsave'])){
 
   $uploads = wp_upload_dir();
   $baseDir=$uploads['basedir'];
   $baseDir=str_replace("\\","/",$baseDir);
   $pathToImagesFolder=$baseDir.'/wp-image-slider-with-lightbox';
 
	//edit save
	if(isset($_POST['imageid'])){
 
		//add new
		$location='admin.php?page=responsive_thumbnail_slider_with_lightbox_image_management';
		$title=trim(addslashes($_POST['imagetitle']));
		$imageurl=trim($_POST['imageurl']);
		$imageid=trim($_POST['imageid']);
		$imagename="";
		 $imagename="";
		if($_FILES["image_name"]['name']!="" and $_FILES["image_name"]['name']!=null){
 
			if ($_FILES["image_name"]["error"] > 0)
			{
				$responsive_thumbnail_slider_plus_lightbox_messages=array();
				$responsive_thumbnail_slider_plus_lightbox_messages['type']='err';
				$responsive_thumbnail_slider_plus_lightbox_messages['message']='Error while file uploading.';
				update_option('responsive_thumbnail_slider_plus_lightbox_messages', $responsive_thumbnail_slider_plus_lightbox_messages);
 
 
				echo "<script type='text/javascript'> location.href='$location';</script>";
				exit;
 
			}
			else{
 
				$wpcurrentdir=dirname(__FILE__);
				$wpcurrentdir=str_replace("\\","/",$wpcurrentdir);
				$path_parts = pathinfo($_FILES["image_name"]["name"]);
				$extension = $path_parts['extension'];       
				$imagename=md5(time()).".$extension";
				$imageUploadTo=$pathToImagesFolder.'/'.$imagename;
				move_uploaded_file($_FILES["image_name"]["tmp_name"],$imageUploadTo); 
 
			}
 
		}

There also isn’t a nonce check to prevent CSRF.

The change made removed the file upload code and added a nonce check to the remaining code.

So there was a CSRF/arbitrary file upload vulnerability in the plugin. There wasn’t the vulnerability Patchstack claimed.

Takeaways

While it isn’t news if you have followed our blog, but other data providers are providing inaccurate and misleading information about vulnerabilities in WordPress plugins. Some of that is because they are not doing basic due diligence. At other times, it appears to be because they are seeking to get press coverage by overstating the risk caused by vulnerabilities. Unfortunately, WordPress isn’t warning the WordPress community about the inaccurate and misleading information coming from those providers.

While hackers do find new vulnerabilities and exploit them in WordPress plugins, they also frequently rely on public information when looking to exploit vulnerabilities. Security providers can’t fully control misuse of information they provide, but they can take actions to limit hackers access, make sure that vulnerabilities have actually been fixed when claiming they have been fixed, and most easily, not provide hackers information ahead of others.

No related posts.

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.