For our 46th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin WP Time Capsule.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 1.22.23 of WP Time Capsule. We checked for the following issues during it as part of our standard review:

• Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
• Deserialization of untrusted data
• Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
• Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
• Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
• Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
• SQL injection vulnerabilities (the code that handles requests to the database)
• Reflected cross-site scripting (XSS) vulnerabilities
• Security issues with functions accessible through any of the plugin’s shortcodes
• Security issues with functions accessible through any of the plugin’s blocks
• Security issues with functions accessible through the admin_action action
• Security issues with functions accessible through the admin_init action
• Security issues with functions accessible through the admin_post action
• Security issues with import/export functionality
• Security issues with usage of the is_admin() function
• Security issues with usage of the add_option(), delete_option(), and update_option() functions
• Security issues with usage of the update_user_meta() and wp_update_user() functions
• Security with usage of determine_current_user filter
• Security issues with usage of the wp_set_current_user(), wp_set_auth_cookie() and wc_set_customer_auth_cookie() functions
• Security issues with usage of the reset_password() and wp_set_password() functions
• Security issues with usage of the extract() function
• Lack of IP address validation
• Proper usage of sanitize_callback when using register_setting() to register settings
• Existence of register_uninstall_hook or uninstall.php file that removes any WordPress options and database tables added by the plugin
• CSV injection
• Host header injection vulnerabilities
• Lack of protection against unintended direct access of PHP files
• Insecure and unwarranted requests to third-party websites
• Any additional possible issues identified by our Plugin Security Checker

Results

We found several minor vulnerabilities, as well as places where the security could be improved.

As part of the work on this review, we expanded our detection of third-party libraries in our Plugin Security Scorecard to include ones in this plugin. That has helped to identify additional plugins that also contain vulnerable libraries. And it makes it easier for other developers and plugin users to identify when plugins include outdated or unsupported libraries, which is a significant issue with this plugin.

The review also incorporated some experimental checking to try to identify information disclosure issues related to error logging. Which identified a minor issue in this plugin.

We notified the developer of the results on March 21, offered them free help to address the issues, and informed them of our disclosure policy. They responded on March 24 that “We will get this checked and get back to you on this.” We haven’t heard back from them and it has been a month without a fix being released, so in line with our disclosure policy, we are releasing the results.

Cross-Site Request Forgery (CSRF) Vulnerability

The function store_cloud_access_token_wptc() in the file /Classes/InitialSetup/InitialSetup.php lacks protection against cross-site request forgery (CSRF) before saving user input.

Privilege Escalation and CSRF Vulnerabilities

The AJAX accessible function clear_upgrade_after_backup_flags_wptc() in the file /wp-time-capsule.php lacks a capability check and a nonce check to prevent CSRF. The function wptc_sync_purchase() in the file /Classes/Config.php lacks the same security checks. And the function to_live() in /Pro/Staging/stage-to-live/includes/class-stage-to-live.php also lacks those.

Non-Prepared SQL Statements

In the following files, there are SQL statements that are not prepared statements, which incorporate variables without set values. It would be more secure if those were prepared as other SQL statements in the plugin are:

• /Classes/ActivityLog.php
• /Classes/Analytics/BackupAnalytics.php
• /Classes/AppFunctions/AppFunctions.php
• /Classes/BackupController.php
• /Classes/Settings/Settings.php
• /common-functions.php
• /Pro/Staging/stage-to-live/includes/class-stage-to-live.php
• /Pro/Staging/stage-to-live/includes/class-staging-white-label.php
• /restore-progress-ajax.php
• /wp-tcapsule-bridge/pclzip.class.php
• /wptc-cron-functions.php
• /wp-time-capsule.php
• /wp-time-capsule/Classes/Config.php

Known Vulnerable Library

The plugin contains a known vulnerable version of the jQuery UI library. That contains the following vulnerabilities according to the developer:

• XSS in the `of` option of the `.position()` util
• XSS in `*Text` options of the Datepicker widget
• XSS in the `altField` option of the Datepicker widget
• XSS when refreshing a checkboxradio with an HTML-like initial text label

As that library is included in WordPress, the plugin is not supposed to be including it.

Outdated Libraries

The plugin contains outdated versions of the following third-party libraries: AWS SDK for PHP, clipboard.js, FullCalendar Google Calendar Plugin, FullCalendar, Guzzle, Guzzle PSR-7 Message Implementation, Guzzle Promises, jmespath.php, jquery.fancytree.js, moment.js, PHP-FIG HTTP Client, PHP-FIG PSR Http Message, phpseclib, sweetalert2, Symfony EventDispatcher Component, and Symfony Polyfill/Mbstring.

Unsupported Libraries

The plugin includes the following third-party libraries that are no longer supported by their developers: Guzzle 3 and jQuery File Upload.

Unserialize() Issues

In some instances, the plugin is securing usage of the unserialize() function against PHP object injection by passing the second parameter, “[‘allowed_classes’ => false]”, to the function. That seems to be done rather haphazardly, as similar code sometimes does that and sometimes doesn’t do that. It would be better to more widely apply that. In particular, usage in the files /Classes/class-replace-db-links.php, /Classes/Config.php, and /Pro/Staging/class-update-in-staging.php lacking that seems of more concern. In the file
/Classes/getUpdateStats.php the plugin is using the similar maybe_unserialize() function, which doesn’t support protecting against PHP object injection. Replacing that with a secured function would be better.

Missing Filter for filter_input()

The function sanitize_get_variables_wptc() in the file /wptc-cron-functions.php uses the filter_input() filtering function without a filter specified, so it doesn’t do any filtering. If you are going to use that, you need to specify a filter.

Logging Issue

The plugin’s logging functionality, which happens in the function wptc_log() in the file /common-functions.php, stores the logging file in a standardized location that doesn’t contain any access restrictions. So anyone could access that.

Lack of Protection Against Direct Access to PHP Files

Some of the plugin’s .php files do not have code at the beginning of the files to restrict direct access to them. We didn’t see anything that could be exploited in the files without the restriction in place, but several files have functionality that can be accessed with the plugin installed, though they may not be intended to be in that situation:

• /wp-tcapsule-bridge/index.php
• /Pro/Staging/bridge/bridge.php
• /wp-tcapsule-bridge/wptc-copy.php
• /wp-tcapsule-bridge/wptc-ajax.php

Adding the code the plugin already has in other files would make things more secure.