Login
30 Aug 2024

WordPress Plugin Security Review: Neznam Atproto Share

Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for Neznam Atproto Share. (We ended up not using the plugin for a reason unrelated to what we found during the review.)

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service.

The review was done on version 1.3.0 of Neznam Atproto Share. We checked for the following issues during it as part of our standard review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
  • Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through any of the plugin’s blocks
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with functions accessible through the admin_post action
  • Security issues with import/export functionality
  • Security issues with usage of the is_admin() function
  • Security issues with usage of the add_option(), delete_option(), and update_option() functions
  • Security issues with usage of the update_user_meta() and wp_update_user() functions
  • Security with usage of determine_current_user filter
  • Security issues with usage of the wp_set_current_user(), wp_set_auth_cookie() and wc_set_customer_auth_cookie() functions
  • Security issues with usage of the reset_password() and wp_set_password() functions
  • Security issues with usage of the extract() function
  • Lack of IP address validation
  • Proper usage of sanitize_callback when using register_setting() to register settings.
  • CSV injection
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found several issues with the security of the plugin related to issues we already checked for. We also noticed another issue with the security of the plugin, which we have decided to make a standard part of what we check for going forward.

We contacted the developer about the results through the email address listed on their website last Friday, but we have yet to hear back from them and there hasn’t been a new version released. In line with our reasonable disclosure policy, we are disclosing the issues now, as the developer hadn’t responded to let us know they would address the issues within a month.

Lack of Uninstallation Capability

The plugin lacks an uninstall capability, so the API credentials stored in the WordPress database to be used by the plugin will stay in the database even after the plugin is uninstalled.

This isn’t something we had been checking for during review until now, but it stood out while reviewing this plugin. And it turns out to be a pretty common problem, even among the most popular plugins.

Lack of Sanitization/Validation With User Input Coming From Another Website

In several functions, the plugin is taking user input coming back from a request to another website and saving it without sanitizing or validating it first. That occurs in the functions authorize(), did_request(), post_message(), and refresh_token() in the file /includes/class-neznam-atproto-share-logic.php. Here is one example of that:

127
128
129
130
131
132
133
134
135

public function did_request() {
	$body = wp_remote_get( trailingslashit( $this->url ) . 'xrpc/com.atproto.identity.resolveHandle?handle=' . $this->handle );
	if ( is_wp_error( $body ) ) {
		return false;
	}
	$body = json_decode( $body['body'], true );
	$did  = $body['did'];
	if ( $did ) {
		update_option( $this->plugin_name . '-did', $did );

Wrong Sanitization Function

In the functions check_handle() and check_password() in the file /admin/class-neznam-atproto-share-admin.php the plugin sanitizes the value of $_POST[ $this->plugin_name . ‘-url’ ] as text instead of as a URL. Here is an example of that:

208

$logic->set_url( sanitize_text_field( wp_unslash( $_POST[ $this->plugin_name . '-url' ] ) ) );

Functions Used for sanitize_callback Functions Don’t Sanitize the Values

The check_handle() and check_password() function in the file /admin/class-neznam-atproto-share-admin.php are used as sanitize_callback functions when using register_setting() to registers settings, but don’t actually sanitize the values.

Lack of Protection Against Direct Access to PHP Files

The plugin’s .php files don’t appear to be intended to be directly accessed, but only the main file contains protection against direct access. We didn’t see anything that could be exploited in the files without the restriction in place, but restricting access to them would ensure that there isn’t any issue with that.

No related posts.

Plugin Security Scorecard Grade for Neznam Atproto Share

Checked on December 20, 2024
B

See issues causing the plugin to get less than A+ grade

2 thoughts on “WordPress Plugin Security Review: Neznam Atproto Share

  1. Eric Caron -

    Thanks for the great review! The newest update, v1.5.0, includes these fixed:
    * Uninstallation now removes all plugin settings, including creds
    * All inputs, both user-provided and API provided, are sanitized using the appropriate method. This uses WordPress-provided functions whenever possible, and local sanitization when it isn’t (e.g., there isn’t a WordPress function to validate an AtProto URI)

    Regarding your point of “Lack of Protection Against Direct Access to PHP Files”, all non-class files do a quick check for WPINC. However class files, following the WPCS, don’t include that. Examples of plugins following this example of “class files should only include the class definition” are Wordfence, RankMath, and Jetpack. So long as there’s linting in place to ensure class files never include anything else, do you still consider this Direct Access a risk? (I agree that it would be a risk if it wasn’t on files like index.php or uninstall.php)

    Reply
    • Plugin Vulnerabilities -

      WPCS isn’t a security solution, even if gets treated that way far too often. Our Plugin Security Scorecard gives bad grades to Jetpack, Rank Math, and Wordfence Security for a variety of issues, including insecure code not detected by WPCS.

      We check all .php files for a restriction on direct access. There isn’t much risk from it being missing in general, but we can’t assume that developers would ensure class files never include anything else or other assumptions that developers are using good coding practices.

      Reply

Leave a Reply

Your email address will not be published.