Login
14 Jun 2021

WordPress Plugin Directory Team Failing To Detect Easy to Spot Vulnerabilities

Last week we mentioned that we had found a couple of vulnerable WordPress plugins when we ran the ones also available in WordPress fork ClassicPress’ plugin directory through our Plugin Security Checker. One of those was promptly fixed after we notified the developer of the issue. With the other AlertMe!, we haven’t even got a response from the developer in over a week, so in line with our reasonable disclosure policy, we are disclosing the vulnerability.

Like the other vulnerability, this has existed in the plugin since the first version, despite being easy to detect. The WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of this type of issue. We have repeatedly offered to help them implement this type of thing, but, like other attempts to help them improve their poor handling of security, they have shown no interest.

Reflected Cross-Site Scripting (XSS)

While we continue to expand on the capabilities of our Plugin Security Checker, the vulnerability in this plugin is something isn’t hard to detect. As the code would directly output user input in the form of the GET or POST input “s”, as shown from results of the tool:

User input is being directly output, which could lead to reflected cross-site scripting (XSS). File: /alertme/inc/admin/alertme-subscribers.php Code: 314 <input id="search_id-search-input" type="text" name="s" value="<?php echo (( isset($_REQUEST['s'])) ? $_REQUEST['s'] : ''); ?>" />

Unless the value had been sanitized elsewhere (and it was not), that wouldn’t be secure and could be a vulnerability depending on how the code can be accessed. In this case it is possible to be exploited against someone logged in to WordPress as an Administrator, as confirmed with the proof of concept below.

 Proof of Concept

The following proof of concept will cause any available cookies to be shown in an alert box, when logged in as an Administrator. In Safari and other web browsers that provide XSS filtering this proof of concept will not work.

Replace “[path to WordPress]” with the location of WordPress.

http://[path to WordPress]/wp-admin/admin.php?page=alert-me-subscribers&s="><script>alert(document.cookie);</script>

Timeline

  • June 4, 2021 – Developer notified.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published.