One of the things we seem to be unique in doing is monitoring for hackers probing for usage of WordPress plugins before exploiting vulnerabilities in them. That is despite other security companies claiming to be doing the same and them needing to do that to be able to prevent exploitation. Today through that we saw probing for the plugin PPOM for WooCommerce with requests for these files from it:
In looking over some of the instances where plugins have been run through our Plugin Security Checker tool and have been flagged for possibly containing open redirect vulnerabilities what we have usually found that these lead to vulnerabilities of that are limited in scope, say the redirect can only occur for logged in Administrators. With the plugin JSON API, which someone checked with the tool recently, there isn’t any restriction.
Earlier this week one of the most popular WordPress plugins, Maps Widget for Google Maps, which has 100,000+ installs, was closed on the Plugin Directory and then reopened after the name was changed (it was previously Google Maps Widget) and security changes were made. One of the security changes doesn’t really make sense to us. In the file /gmw-tracking.php this line was changed:
The plugin Essential Grid Portfolio – Photo Gallery was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. When we started looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that the situation with the plugin seemed odd. The plugin has 400,000+ installs, but was only added to the Plugin Directory on July 22.
The latest version of Woody ad snippets includes the changelog entry “Fixed: Some issues with plugin security.”. We are currently in the process of getting a better handle of the full impact of a security issue fixed in that version, while we continue to do that we thought it prudent to move ahead with disclosures of another related vulnerability we found while looking into that, which hasn’t been fixed. Considering the multiple issues that lead to this additional vulnerability, we would recommend against using the plugin until it has been more fully reviewed for security issues.
The plugin Simple Membership was closed on the WordPress Plugin Directory Monday of last week. That appears to have been due to a relatively minor vulnerability. It also appears that the team running the Plugin Directory required additional security improvements based on the changes made after that was fixed. What they missed was to us an obvious issue, it was so obvious we had noticed it almost immediately, and only noticed the issue the looks to have led to the closure after more checking. Since it isn’t a vulnerability on its own, we waited a bit to see if anyone else noticed, but it would seem not, since it still is in the plugin more than a week after the plugin was reopened.
Limiting information on vulnerabilities being fixed in WordPress plugins isn’t a great idea as we were reminded of this week when the discoverer of a vulnerability didn’t disclose it until after hackers had started more widely exploiting the vulnerability, leaving most everyone else in the dark about what was going on (customers of our service we were warned before the widespread hacking happened because we do the work to keep ahead of things). Another reason for providing information in a timely manner is that often vulnerabilities haven’t been fully fixed or there are more related vulnerabilities that haven’t been fixed. That is the case with the plugin WP Shopify where when went to look into the possibility that a vulnerability had been fixed we spotted what turned out to be related unfixed vulnerability before we even figured out what the vulnerability fixed was.
A core problem with the handling of the security issues with WordPress plugins is the team running the Plugin Directory, who have shown themselves not to be up to task of handling the role they are in. Part of that involves an inability to work with others to fix the problems the team are causing. That seems in part due to a belief they have capabilities they don’t. You can get a taste of that from the bio for one of the members that reads in part:
One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability being introduced in to the plugin uListing, which can also be exploited through cross-site request forgery (CSRF). The vulnerability occurs in code handled through WordPress’ REST API, which is increasingly a vector through which vulnerabilities in WordPress plugins are accessible. (We have included checking over functionality running through the REST API in our security reviews of WordPress plugins since earlier this year due the prevalence of issues.)
One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a restricted file upload vulnerability in the brand new plugin GA Top Posts.