Brainstorm Force Removed Security Code and Reintroduced Vulnerability in 1+ Million Install WordPress Plugin
It’s commonly claimed that it helps to determine if a WordPress plugin is secure by looking at the install count and looking if the developer is well known. We have yet to see anyone making that claim present any evidence of a correlation between them. We have seen plenty of instances where major WordPress plugin developers have problems handling security with popular plugins. Take Brainstorm Force. They were recently covered by the WP Tavern, while claiming to have made a six-figure investment in a plugin. So they clearly have the money to handle security properly, but they don’t.
The latest incident with Brainstorm Force involves a vulnerability in a 1+ million install plugin that went unnoticed by them (and others for that matter) for nearly four years, which they fixed without realizing it, it would seem, and then they reintroduced it today.
Their security problems are not new. Brainstorm Force still hasn’t fixed a vulnerability that we warned them about two years ago, after they made an attempt to address a related issue, in the 1+ million install Starter Templates plugin.
The latest issue involves the 1+ million install plugin, Elementor Header & Footer Builder. That came on our radar today after our machine learning (artificial intelligence (AI)) based system for catching vulnerabilities being fixed or introduced in updates, flagged an update to it. The changelog for the new version reads, “Fix: Retina Image – Navigating to custom URL by clicking on images.” That seems related to this discussion. The change should obviously have raised concern for the security implication.
Two changes were made to the code in the new version, both of which remove security code. They removed usage of esc_url() and esc_html() from the code, which is there to prevent malicious JavaScript code from being output:
In looking if this introduced a vulnerability, we found that plugin seems poorly developed. If you are logged in to WordPress as user with the Author role, you are shown a menu item for accessing the plugin’s functionality:
But if you click it, you get a message saying you are not allowed to access the page. The same is true for users with the Editor role. How does that get missed with such a popular plugin?
Further checking showed that there is now an authenticated persistent cross-site scripting (XSS) vulnerability as low-level WordPress users can add JavaScript code to posts through the caption of the plugin’s Retina Image widget. The malicious code would be run both on the frontend and backend of the website. The issue can be confirmed with the proof of concept below.
Looking further back, we found the vulnerability had been fixed just at the end of November in version 1.6.18. The fix seems to be related to a mention in the changelog of “Improvement: Compatibility with WordPress VIP Go rules.” The vulnerable code was first introduced in version 1.2.0, which was released in December 2019.
What makes this stand out more is that it would only cost them $200 for us to do a security review of the plugin, which would catch issues like this. That a lot less than six-figures.
WordPress Causes Full Disclosure
As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)
You can notify the developer of this issue on the forum as well.
After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.
Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:
Is It Fixed?
If you are reading this post down the road the best way to find out if this vulnerability or other WordPress plugin vulnerabilities in plugins you use have been fixed is to sign up for our service, since what we uniquely do when it comes to that type of data is to test to see if vulnerabilities have really been fixed. Relying on the developer’s information can lead you astray, as we often find that they believe they have fixed vulnerabilities, but have failed to do that.
Proof of Concept
When logged in as a Contributor, add a Retina Image widget to a post being created with Elementor, with the following caption:
<script>alert(document.cookie);</script>
When viewing the post or editing it, any available cookies will be shown in an alert box.