While working on a security review of a WordPress plugin, we ran across miss-usage of a WordPress security function, esc_url_raw(). While looking to see if this was a wider issue, we found that a 5+ million install security plugin is among those improperly using it, as well as another 1+ million install security plugin, and two 1+ million install plugins from the security reviewer on the team running the WordPress’s plugin directory.

The documentation for esc_url_raw() explains that it “Sanitizes a URL for database or redirect usage.” Then further explains that:

The esc_url_raw() function is similar to esc_url() (and actually uses it), but unlike esc_url() it does not replace entities for display. The resulting URL is safe to use in database queries and redirects.

 

This function is not safe to use for displaying the URL, use esc_url() instead.

Yet, here is one place it is used in the 5+ million install Really Simple SSL plugin:

479

<a class="button" <?php echo $target?> href="<?php echo esc_url_raw($more_info)?>"><?php $is_internal_link ? _e("View", "really-simple-ssl") : _e("More info", "really-simple-ssl")?></a>

That code neither involves a database query or a redirect, but outputting a link, esc_url() should be used there instead.

(This isn’t the only security issue with that plugin.)

With another security plugin that has a history of more serious security issues, the 1+ million install All-In-One Security (AIOS), it used when outputting an input value:

63

<td><input id="aiowps_404_lock_redirect_url" type="text" size="50" name="aiowps_404_lock_redirect_url" value="<?php echo esc_url_raw($aio_wp_security->configs->get_value('aiowps_404_lock_redirect_url'), array('http', 'https')); ?>" />

Again, esc_url() should be used there instead.

The issue also exists with the 1+ million install plugins Duplicator and OptinMonster from Awesome Motive, whose chief security officer is also the security reviewer of the team running the WordPress’ plugin directory. Here is that in Duplicator:

396

<a href="<?php echo esc_url_raw($dismiss_url); ?>" class="button duplicator-notice-dismiss">

Here is that in OptionMonster:

192

echo '<p><a href="' . esc_url_raw( OMAPI_Urls::settings() ) . '" class="button button-primary button-large omapi-new-optin" title="' . esc_html__( 'View API Settings', 'optin-monster-api' ) . '">' . esc_html__( 'View API Settings', 'optin-monster-api' ) . '</a></p></div>';

The documentation for the function shows an example of the wrong usage involving a link, which is exactly the situation with the code in three of the four plugins shown above.

Better Handling by WordPress

Considering that this is a problem with plenty of popular plugins (there are even more million or more install plugins than we mentioned), this seems like something worth addressing by WordPress. The documentation makes it clear that some of the usage we showed is wrong, but other usage we looked at while doing research isn’t clearly noted as being wrong by the documentation. So the documentation could possibly use improvement, but that doesn’t address the usage against the documentation.

WordPress has a security team, though it’s unclear what is even in their purview, to know if they should be looking into this. There is a team running the Plugin Directory, but considering their own security reviewer’s plugins are not getting this right and the team’s long term poor handling of security, it seems difficult to see them getting on this. Our own recent experience trying to deal with the team on one of their own mistakes with security didn’t go well either.

Plugin Security Scorecard Grade for All-In-One Security (AIOS)

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Really Simple SSL

See issues causing the plugin to get less than A+ grade