14 Dec

Closures of Very Popular WordPress Plugins, Week of December 14

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and have yet to be reopened.

404 To Homepage

404 To Homepage, which has 30,000+ installations, was closed yesterday. No explanation has been given so far for the closure. In looking over the plugin we didn’t find any obvious security issues.

It has yet to be reopened.

Force HTTPS

Force HTTPS, which has 80,000+ installations, was closed yesterday. No explanation has been given so far for the closure. The plugin is by the same developer as 404 To Homepage. In looking over the plugin we didn’t find any obvious security issues.

It has yet to be reopened.

WordPress phpinfo()

WordPress phpinfo(), which has 30,000+ installations, was closed today. No explanation has been given so far for the closure. In looking over the plugin we didn’t find any obvious security issues.

It has yet to be reopened.

07 Dec

Closures of Very Popular WordPress Plugins, Week of December 7

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed and has yet to be reopened.

Modula Image Gallery

Modula Image Gallery, which has 40,000+ installations, was closed on Wednesday. We found that security changes had been made after the closure, but the plugin was still insecure.

It has yet to be reopened.

06 Dec

Closure of Modula Image Gallery Leads to Disclosure of Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in It

Last week we started monitoring for closures of the 1,000 most popular WordPress plugins and that alerted to us the plugin Modula Image Gallery, which has 40,000+ active installations and was closed yesterday. There have been two new versions released since it was closed. The first 1.3.4 has a changelog entry of “wp.org review” and there are quite a few security related changes made in that version.

In a quick check over the code none of them stood as being obviously related to a vulnerability as opposed to general security improvement and no possible security issues were picked up with our Plugin Security Checker, so we moved on to installing a copy of version 1.3.3 and seeing if there were any easy to spot vulnerabilities we could see by checking things that way. We almost immediately found that the plugin has had an authenticated persistent cross-site scripting (XSS) vulnerability, but a closer look showed that part of this isn’t fixed as of version 1.3.5.

The plugin allows users with the “edit_posts” posts capability to create new photo galleries, so normally users with the Contributor and Author roles would be among those allowed to do that. Those users normally wouldn’t have the “unfiltered_html” capabilities so they shouldn’t be allowed post JavaScript code in to pages, but they are allowed to do just that due to the “Custom scripts” portion of the gallery configuration:

As of version 1.3.4 there is some sanitization done with that, which limits some JavaScript code from being entered, but as the proof of concept below shows, JavaScript code can still run.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon).

Also we hope this type of public disclosure might teach the WordPress folks that closing plugins and then having the changes made public before they are reopened is counterproductive to their stated goal with the handling of security issues in plugins (in one recent incident it looks like it led to websites being hacked).

Proof of Concept

When you set the “Custom scripts” portion of the gallery to the following an alert box when any available cookies to be shown in an alert box on the page with the gallery’s shortcode:

alert(document.cookie);
30 Nov

Closures of Very Popular WordPress Plugins, Week of November 30

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and then reopened. One of three was closed due to a vulnerability and another was closed due the security of the plugin, though there doesn’t appear to be any vulnerabilities related to that. That two thirds of those were for security issues is out of line with a broader claim made just today by a member of the team that handles the plugin that claimed that “most of the time when a plugin is delisted, it is not for a security issue.”.

Google Maps Widget

Google Maps Widget, which has 100,000+ active installations according to wordpress.org, was closed on Monday. At which point we already were warning our customers about a vulnerability in the current version, since we were the ones that discovered it.

The plugin returned on Tuesday.

Ditty News Ticker

Ditty News Ticker, which as 40,000+ installations, was closed on Tuesday. The developer stated the following was the reason for the closure:

Someone reported a minor potential security issue with Ditty News Tickers.

Looking at the original changes made in response to that we didn’t see anything that looks like a vulnerability that was being fixed. There was sanitization done on user input using esc_html(), but it doesn’t look like any of that was then being used in way where that would have mattered. For example, one of the changes involved adding escaping the first line below:

176
177
$page = isset( $_GET['tickpage'] ) ? esc_html($_GET['tickpage']) : 1;
$offset = ($page-1) * $_mtphr_dnt_list_tick_count;

Any malicious JavaScript would get lost when the second line is run. Though the sanitization there isn’t doesn’t look correct since the value looks is intended to be an integer. We contacted the developer and let them know about that and additional changes were made.

The plugin was reopened on Wednesday.

Cookie Notice

Cookie Notice (Cookie Notice for GDPR), which has 900,000+ installations, was closed on Thursday.

We looked over the plugin on Thursday and there were not any obvious security issues that we could spot.

On Friday morning the developer explained the reason for the closure:

Wanted to inform all of you that the reason for closing the plugin was NOT a security issue.

The problem reported by the Plugin Review Team is as follows:

“Your plugin claims 100% GDPR Compliance.

Before that happened you had one the moderators of the WordPress Support Forum, Jan Dembowski, as usual acting inappropriately in a topic about the closure. By the time we ran across that thread apparently a number of replies after Jan Dembowski’s had been deleted based on the next reply at that point:

And why are all the other answers from other people here deleted?
Thats not serious. If the plugin has a security hole it would just be fair to inform the users, otherwise their systems are at risk. Thats not funny to deal in this manner.

The next response tried to explain to Jan Dembowski why their handling of this is less than optimal:

When a plugin is closed it could be for a variety of reasons. Those reasons are not disclosed or discussed as it could be a security issue or it could be a plugins guidelines issue.

Well, that is the reason because people are ASKING. Because there could be many reasons. If you ran into this issue again and again. You need to change the communication about this. And just deleting threads is not a great answer to those communication problems.

Please be patient, if the author wishes to reply then I am sure they will.

Well, this is easy to say – if you know what is going on. But there are more than 900k users that DON’T KNOW what is going on. And we don’t know WHEN or IF the plugin will be returning into repository. So maybe you can understand why there are users that are concerned and expect the worst (a big security issue)…

Instead them being willing to have a productive discussion they closed the topic and wrote in part:

OK, sniping at other moderators isn’t a good idea. I’ve archived that reply and flagged that account. You know who you are.

We’ve gone past a productive conversation here.

You also had another moderator, Andrew Nevins, not understanding why what is going on needs be handled differently, writing this:

Guys please calm down. As it is, we don’t disclose it before the resolution of those issues. If this is too uncertain then I recommend uninstalling the plugin from your installations.

To make things confusing for anyone trying to listen to the moderators, in another thread about the closure you had another moderator write this:

Taking pre-emptive measures like removing the plugin just because it was delisted is never really necessary.

Considering what the issue is, telling people what that was would have had no negative consequence, beyond possible complaints about closing it for such a minor issue. Unfortunately the moderators have a complete inability to operate in adult professional manner (if looked at Jan Dembowski’s Twitter account you probably wouldn’t know they are an adult at all) and they have unfettered ability to operate inappropriately because there apparently is no one else that is able to act like an adult on the WordPress side of things.

The plugin was reopened later on Friday.