Not Really a WordPress Plugin Vulnerability, Week of October 7
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
PHP Object Injection in Easy WP SMTP
One of the changelog entries for version 1.4.9 of Easy WP SMTP is:
Fixed a possible PHP object injection issue while importing a file.
As at least one of our customers is using the plugin, we looked to see if a vulnerability was being fixed (and whether it was actually fixed). What we found was the developer was incompletely restricting the ability for PHP object injection to occur. Access to the relevant code was already secured, meaning an attacker wouldn’t have access, as to get the code someone would need to be logged in as an Administrator:
317 | if ( current_user_can( 'manage_options' ) ) { |
And the code checks for a valid nonce to prevent cross-site request forgery (CSRF):
376 | check_admin_referer( 'easy_wp_smtp_import_settings', 'easy_wp_smtp_import_settings_nonce' ); |
The change made tries to restrict PHP object injection with this code:
96 97 98 99 100 101 102 103 104 105 106 | //since all object start with O: $is_object= strpos($json_string,"O:"); if($is_object!==false) { $error = new WP_Error(); $error->add(1002, __("A malicious import file is passed. Aborting import!",'easy-wp-smtp')); return $error; } return unserialize($json_string); |
There are two issues with that. First, it doesn’t take advantage of PHP’s ability in newer versions to restrict what classes, if any, can be unserialized. Second, it doesn’t block instances that start with “C:” instead of “O:”.
We went to contact the developer about that, but the contact page on their website is broken.
Unauthenticated Reflected XSS in All-in-One WP Migration
Automattic’s WPScan made a mess of a claim of an unauthenticated reflected XSS vulnerability in All-in-One WP Migration. They wrote this:
The plugin uses the wrong content type for, and does not properly escape the response from the ai1wm_export action, allowing an attacker to craft a request that when submitted by any visitor will inject arbitrary html or javascript into the response that will be executed in the victims session.
The proof of concept that is supposed to back that up, though, doesn’t work, as information is needed that the attacker wouldn’t have. That is acknowledged in the proof of concept:
Note: The secret key must be obtained through other means. It is stored in the site option `ai1wm_secret_key`, but is static for the lifetime of the site.
WPScan doesn’t provide an explanation of how the attacker would have that. Things get worse from there.
The proof of concept involves a request that looks to be related to exporting data from the plugin, so it would seem like that wouldn’t be accessible to someone not logged in to WordPress. But they are claiming just that, as they claim the vulnerability is unauthenticated. Checking on that, we confirmed the function is accessible to those not logged in. The version that WPScan claimed fixes this doesn’t look to change that and it doesn’t look to change that functionality can still be accessed with the value of “ai1wm_secret_key”, which an attacker had to have to exploit the claimed vulnerability. That same thing looks to be true with the import functionality.
So if an attacker had access to “ai1wm_secret_key” they could still do something more serious than the claimed vulnerability here, yet WPScan isn’t claiming there is still a vulnerability in the plugin. That doesn’t make sense. Either there wasn’t a vulnerability before or there still is a more serious one now.
Plugin Security Scorecard Grade for All-in-One WP Migration
Checked on November 22, 2024See issues causing the plugin to get less than A+ grade