16 Jan 2019

Defender Pro WordPress Plugin Flags Harmless Code in Plugin While Missing Actual Vulnerability

The most recent version of the plugin WP-Stateless was flagged by monitoring we do for a couple of reasons and in looking at those we yet another reminder of the better results caused by us doing the work that other in the security space don’t do, which leaves their customers at a large disadvantage (and if we had more customers could lead to better results for everyone using WordPress).

One of the reason it was flagged was due to our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, which flagged possible vulnerable code that led to us finding the plugin contains an authenticated remote code execution (RCE) vulnerability.

The other was that one of the changelog entries for that version was flagged as potentially referencing a security fix:

ENHANCEMENT – Updated depreciated function flagged by security software. GitHub Issue #300.<

That was a reference to the Defender Pro plugin flagging what seems like completely harmless code. The message that plugin was showing was:

There’s some suspicious looking code in the file wp-content/plugins/wp-stateless/vendor/usabilitydynamics/lib-utility/lib/class-utility.php. If you know the code is harmless you can ignore this warning. Otherwise, you can choose to delete this file. Before deleting any files from your site directory, we recommend backing up your website.

The code reference with that was:

array_walk_recursive( $arr, create_function( '&$item, $key', 'if (is_string($item)) $item = mb_encode_numericentity($item, array (0x80, 0xffff, 0, 0xffff), "UTF-8");' ) );

How the developers of that security plugin think the average user of it would know if code like that is harmless or not is beyond us. Deleting the whole file might be overkill, if say, it was malicious code added by a hacker to a legitimate file. Deleting that particular file would cause websites to be broken if the plugin it is part was enabled, so doing a backup would be more than something that should be recommend before doing that.

We are not sure what is even supposed to make that code suspicious, but the developer believed it was due to the usage the function create_function():

The warning was shown because of the create_function, it’s deprecated and uses eval() internally.

If that is the case that seems like a good indication that the developers of the Defender Pro plugin are not really thinking through what they are doing. That is a legitimate PHP function, so just flagging its usage in an indiscriminate way is not necessarily a great idea. As we noted when considering adding a check for it to our Plugin Security Checker tool in November of 2017, at the time 19 of 100 of the most popular plugins utilized it, while at the same we couldn’t “recall it being part of any disclosed vulnerabilities in WordPress plugins”. For us we decided to only mention it usage in the more advanced mode of our tool, designed for security professional and plugin developers, since there was reason to mention it since “it is being deprecated in PHP 7.2, and the PHP documentation for it suggest that “Relying on this function is highly discouraged”, but at the same time we didn’t wanted to cause unnecessary concern (we also don’t recommend indiscriminately deleting files).

Being overzealous in flagging code might make sense if it was at least catching real security issues others are not, but in that clearly isn’t the case here, as it missed the real vulnerability. By comparison our Plugin Security Checker would have warned you about the possibility of the real vulnerability. From there if you are a paying customer of our service you could have suggested/voted for it to receive a security review that would check over that or you could have ordered the same type of review separately.

Leave a Reply

Your email address will not be published.