10 Jan

WordPress Plugin Security Review: WordPress Notification Bar

Recently we started reviewing the security of the WordPress plugins we use, and for our third review we had checked over the security of the plugin WordPress Notification Bar.

If you want a security review of plugins you use, when you become a paying customer of our service you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 1.3.9 of WordPress Notification Bar. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found a couple of really minor issues. After we notified the developer of the results they replied the same day that changes would be made in relation to those, though in the week since then that has yet to happen.

Lack of Capabilities Check When Resetting Settings

The plugin has a function reset_defaults(), which is accessible to anyone as it runs during admin_init, so it should check to make sure the request the reset is coming from a user with the proper capability. The function does check for a valid nonce, so in normal circumstances it shouldn’t be possible for those without the proper capability to get access to a valid nonce, but that shouldn’t be relied on alone.

Somewhat oddly the while the reset capability has existed since the first version of the plugin, the code that would provide the frontend for that has been commented out since the first version as well, so it has never been accessible through normal usage of the plugin. In the developer’s response they mentioned that they had removed that due to the limited number of settings.

Lack of Protection Against Direct Access to PHP Files

The plugin’s .php files lack code at the beginning of the files to restrict direct access to them.  We didn’t see anything that could be exploited in the files without the restriction in place.

02 Jan

WordPress Plugin Security Review: Share Buttons by AddThis

For our 23nd security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Share Buttons by AddThis (WordPress Share Buttons Plugin – AddThis).

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 6.1.8 of Share Buttons by AddThis. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found a couple of very minor issues with the plugin. We notified the developer of the issue a couple of weeks ago and they responded that the information has been passed on to their engineering team. No changes have been made to the plugin yet.

Precautionary Escaping

The function getInlineCodeForShortCode() in the file /backend/AddThisPlugin.php can output a value from a low privileged user when it is called by the function shortCodeByDomClass(), as it takes a value specified when a shortcode is used. While it looks like that value would already be sanitized by WordPress, it could be made more secure by escaping the value using esc_attr(). That occurs on the line:

1227
$html .= '<div class="'.$cssClass.' addthis_tool"></div>';

Lack of Protection Against Direct Access to Files

The plugin’s .php files lack code at the beginning of the files to restrict direct access to them.  We didn’t see anything that could be exploited in the files without the restriction in place.

18 Dec

WordPress Plugin Security Review: Compress JPEG & PNG images

For our 22nd security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Compress JPEG & PNG images.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

The review was done on version 3.1.0 of Compress JPEG & PNG images. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found several issues with the plugin. We notified the developer of the issue a week ago, but we haven’t heard back from them and no changes have been made to the plugin yet.

Insecure AJAX functions

The functions accessed by the following AJAX registrations don’t have a capabilities check to limit who can access them despite it looking like they should be limited to only certain types of users:

  • wp_ajax_tiny_account_status
  • wp_ajax_tiny_settings_create_api_key
  • wp_ajax_tiny_settings_update_api_key
  • wp_ajax_tiny_get_optimization_statistics
  • wp_ajax_tiny_get_compression_status
  • wp_ajax_tiny_async_optimize_upload_new_media

Those would allow anyone logged in to WordPress to gain access to data and settings related to the plugin as well as allowing them to change the API key for the plugin or run the plugin’s main functionality of compressing an image already loaded on the website.

The functions accessed by the following AJAX registrations lack protection against cross-site request forgery (CSRF) protection despite looking like they should have that:

  • wp_ajax_tiny_settings_create_api_key
  • wp_ajax_tiny_settings_update_api_key
  • wp_ajax_tiny_async_optimize_upload_new_media

Those could allow an attacker to cause someone logged in to WordPress to change the plugin’s settings or compress an image already loaded on the website.

Permissive Access to Nonce

In the WordPress documentation on nonces, which are used to protect against CSRF the following warning is provided:

Nonces should never be relied on for authentication or authorization, access control. Protect your functions using current_user_can(), always assume Nonces can be compromised.

This plugin provides an example of the fact that access to nonces are not always correctly limited, making that the dual layers of protection a very good idea.

What we found was that anyone logged in to WordPress that has access to the admin area has access to the nonce used for all but one of the AJAX functions. That is due to the nonce being added to all admin pages with the function enqueue_scripts() and on the admin dashboard through the function add_dashboard_widget().

Lack of Protection Against Direct Access to Files

The plugin’s .php files lack code at the beginning of the files to restrict direct access to them.  We didn’t see anything that could be exploited in the files without the restriction in place.

06 Dec

WordPress Plugin Security Review: Classic Editor

Recently we mentioned we are long overdue reviewing the security of the WordPress plugins we use, so here is the start of that. We start with a plugin that we didn’t expect to have any issues, but considering how many websites have started using it recently as well, it seems like a good place to start. That plugin being the Classic Editor, which “restores the previous WordPress editor and the Edit Post screen and makes it possible to use the plugins that extend it, add old-style meta boxes, or otherwise depend on the previous editor” and now has 600,000+ installations according to wordpress.org.

If you want a security review of plugins you use, when you become a paying customer of our service you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

The review was done on version 0.5 of Classic Editor. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found no issues with any of the checked items in version 0.5 of Classic Editor.

06 Dec

WordPress Plugin Security Review: WP Email Delivery

For our 21st security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin WP Email Delivery.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 1.1.2.7 of WP Email Delivery. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found two relatively minor issues. We notified the developer of the issue a week ago, but we haven’t heard back from them and no changes have been made to the plugin yet.

Test Email Sending

The plugin has functionality for sending a test email, which is intended to be sent by logged in Administrators, seeing as the frontend for that is plugin’s admin page, which is accessible only to uses with the “manage_options” capability that only Administrators normally have. The code that handles the request for that though is accessible to anyone even if they are not logged in.

Checking if a request to do that is handled in the function register_settings():

414
415
416
if(isset( $_POST[ $this-&gt;base .'test_email' ] )){
	$this-&gt;send_test_email();	
}

That function runs during admin_init, which will run when accessing the right page even if someone is not logged in:

48
add_action( 'admin_init' , array( $this, 'register_settings' ) );

The functions that handle the sending of the test email, starting with send_test_email(), don’t do any security checks, so they don’t limit who can send the test email.

What makes this of limited use for abuse is that the only user specified part of the email is the email address that it is being sent, so it couldn’t be abused to spend spam.

Lack of Protection Against Direct Access to PHP Files

Two .php files, /includes/misc-functions.php and /includes/legacy/wped.wp-mail.php, in the plugin are not intended to be directly accessed but do not contain protection against direct access. In one of them nothing runs when accessing it directly because it only defines functions and the other it hits a fatal error when trying to run the first line of code, so there is nothing exploitable if they are accessed. Other files in the plugin do contain protection against that.

03 Dec

WordPress Plugin Security Review: Conditional CAPTCHA

For our 20th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Conditional CAPTCHA.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 4.0.0 of Conditional CAPTCHA. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Security issues with usage of add_option(), delete_option(), and update_option()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found one issue, it is not something we check for as part of the review, but we noticed it when checking for reflected cross-site scripting (XSS) vulnerabilities. We notified the developer of the issue a week ago, but we haven’t heard back from them and no changes have been made to the plugin yet.

Arbitrary Comment Approval

In the plugin’s code that handles what do if the CAPTCHA is entered correctly, the code will take an action with the comment specified by the plugin’s settings. One option is to approve the comment. The problem with this comes from the fact that the code as shown below, takes the action against with a comment specified by user input, the POST input “trashed_id”, and doesn’t actually check if the comment the action is being taken with is the one that lead to the CAPTCHA being shown, so this can be abused to, for example, approve any comment that was previously intentionally trashed.

318
319
320
321
if( $stored = get_comment( $_POST['trashed_id'] ) ) {
	// change status. this will call wp_notify_postauthor if set to approve
	// note, newer versions of Akismet will not register a false positive just from the status transition, because it explicitly checks to make sure the change was not made by a plugin
	wp_set_comment_status( $stored-&gt;comment_ID, $this-&gt;options['pass_action'] );
14 Sep

WordPress Plugin Security Review: Regenerate Thumbnails

For our nineteenth security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Regenerate Thumbnails.

If you are not yet a customer of the service you can currently sign up for the service for half off and then start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins  (now accessible through a WordPress plugin of its own) to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 3.0.2 of Regenerate Thumbnails. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found one really minor issue.

Lack of Protection Against Direct Access to PHP Files

Two .php files in the plugin are not intended to be directly accessed but do not contain protection against direct access. The files only define classes, so there is nothing exploitable if they are accessed and adding a restriction has limited value.

13 Jul

WordPress Plugin Security Review: Stagehand Events

We were recently hired to do a security review of the WordPress plugin Stagehand Events.

The review was done on version 1.0.5 of Stagehand Events. We checked for the following issues during this review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
  • Persistent cross-site scripting (XSS) vulnerabilities in publicly accessible portions of the plugin
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with import/export functionality
  • Security issues with usage of is_admin()
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found no issues with any of the checked items in version 1.0.5 of Stagehand Events.