Login
23 Jan 2025

New Plugins From Awesome Motive and Brainstorm Force Continue Developers’ Failure to Implement Basic Security

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. A week ago, we looked at an example of a developer continuing to fail that we ran across. This week we ran across another test of this, as two developers we have released advisories for have new plugins available in the WordPress Plugin Directory.

Awesome Motive

For one of those developers, Awesome Motive, we just issued our advisory on December 11. Nine days later, they introduced the plugin WPConsent to the WordPress Plugin Directory. The issue that led to us finally issuing that advisory was a continued failure to address AJAX accessible functions lacking a capability check in the 6+ million install plugin WPForms, even after fixing a vulnerability caused by that. That is really basic security, so a major plugin developer shouldn’t be failing on that front. Yet it also is the case with WPConsent.

In the plugin’s file /includes/admin/admin-ajax.php, there are six AJAX accessible functions registered to only be accessible to only those logged in to WordPress. There should be a capability check to make sure the only intended users have access to the functionality, but there isn’t. Here is the first of those, which only contains a nonce check and not a capability check:

13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

function wpconsent_ajax_add_category() {
	check_admin_referer( 'wpconsent_add_category', 'wpconsent_add_category_nonce' );
 
	$category_name        = isset( $_POST['category_name'] ) ? sanitize_text_field( wp_unslash( $_POST['category_name'] ) ) : '';
	$category_description = isset( $_POST['category_description'] ) ? sanitize_textarea_field( wp_unslash( $_POST['category_description'] ) ) : '';
 
	$category_id = wpconsent()->cookies->add_category( $category_name, $category_description );
 
	if ( $category_id ) {
		wp_send_json_success( array(
			'id'          => $category_id,
			'name'        => $category_name,
			'description' => $category_description,
		) );
	} else {
		wp_send_json_error( array(
			'message' => esc_html__( 'There was an error adding the category.', 'wpconsent-cookies-banner-privacy-suite' ),
		) );
	}
}

While Awesome Motive shouldn’t have a problem handling security like this (they have a chief security officer who is the Security Reviewer on the team running the WordPress Plugin Directory), it would have only, for example, cost $200 for us to do a comprehensive security review that would have caught that and a variety of other possible issues.

The plugin is yet another GDPR related plugin that isn’t secure.

Brainstorm Force

So that shows that a developer that isn’t handling security continues to do so in the short term, but what about in the longer term? We issued an advisory at the beginning of January of last year for Brainstorm Force. A year later, they introduce SureDash. This plugin contains exactly the same issue as Awesome Motive’s plugin across even more functions.

One example is this function in the file /core/ajax/backend.php:

314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338

public function delete_a_sub_content(): void {
	if ( ! check_ajax_referer( 'portal_delete_a_sub_content', 'security', false ) ) {
		wp_send_json_error( [ 'message' => $this->get_ajax_event_error( 'nonce' ) ] );
	}
 
	$sub_content_data = ! empty( $_POST['subContentData'] ) ? Sanitizer::sanitize_meta_data( json_decode( wp_unslash( $_POST['subContentData'] ), true ), 'metadata' ) : []; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Data is sanitized in the Sanitizer::sanitize_meta_data() method.
 
	$post_id = ! empty( $sub_content_data['post_id'] ) ? absint( $sub_content_data['post_id'] ) : 0;
 
	if ( ! $post_id ) {
		wp_send_json_error( [ 'message' => __( 'Invalid post ID.', 'suredash' ) ] );
	}
 
	$deleted = \wp_delete_post( $post_id, true );
 
	if ( $deleted ) {
		wp_send_json_success(
			[
				'message' => __( 'Successfully deleted.', 'suredash' ),
			]
		);
	}
 
	wp_send_json_error( [ 'message' => $this->get_ajax_event_error( 'default' ) ] );
}

That code also has a second fairly obvious security issue. It passes user input to a function, wp_delete_post(), that allows deleting arbitrary content stored as a post. That would allow deleting not just WordPress posts and pages, but other plugin’s data stored as a post. The code should make sure only the intended content is deletable, but it doesn’t.

While the plugin is in the WordPress Plugin Directory, it has this message “Please note that SureDash is currently in its Alpha stage and is not recommended for use on live production websites.” That hasn’t stopped the developers from charging hundreds of dollars for items related to an insecure plugin:

Getting a security review wouldn’t cost much more than they are charging there, as our price for a review would be $500.

Related posts:

  1. Matt Mullenweg Claims WordPress is Meritocracy Where Ideas Can Be Debated While Banning People Who Disagree With Him
  2. Wordfence and WPScan Falsely Claim Closed WordPress Plugin Contains Serious Vulnerability
  3. WordPress Plugin Includes Version of Third-Party Library That Was Publicly Known to Be Vulnerable Years Before Plugin Was Even Released
  4. An Alternative to the WordPress Plugin Directory’s Poor Search Results

Plugin Security Scorecard Grade for SureDash

Checked on January 25, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPConsent

Checked on January 22, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.