Login

Tag Archives: Authenticated Open Redirect

22 Jul 2019

Our Plugin Security Checker Caught an Authenticated Open Redirect Vulnerability in Breeze

Our Plugin Security Checker allows anyone to check for the possibility of some instances of security vulnerabilities in WordPress plugins. While the tool is something we would describe as being far from advanced in what it can do, with the current state of security with WordPress plugins it has been able to spot vulnerabilities even in fairly popular plugins. That is the case with the plugin Breeze, which has 70,000+ installs, where it flagged the possibility of an open redirect vulnerability, which a quick check confirmed was an authenticated variant of that, which makes it of limited concern, though it is something that could have been easily avoided.

The tool identified the following two lines of code as possibly leading to an open redirect: [Read more]

30 May 2019

Authenticated Open Redirect Vulnerability in Paid Memberships Pro

One ongoing indication of the poor security of WordPress plugins is how often our Plugin Security Checker, which is an automated tool for identifying some possible security issues with plugins, is picking up vulnerabilities in fairly popular plugins. We would not describe the tool as being advanced by any means, so that being true is not a great indication of the handling of plugins’ security. In looking over some of the recent results for plugins in the Plugin Directory that were checked through that to see if could further improve its results we found that the plugin Paid Memberships Pro, which has 80,000+ active installations according to wordpress.org, contains an authenticated open redirect vulnerability.

That is a type of vulnerability that isn’t really a concern in terms of being exploited on the average website, but it is something that looks like it could have easily been avoided. You can check the plugins you use to see if they are possibly impacted by a similar issue or a number of other issues through the tool for free. [Read more]

6 Dec 2018

Here Is Yet Another Vulnerability Spotted by Our Plugin Security Checker in the WordPress Plugin Ultimate Member

The WordPress plugin Ultimate Member was the cause of too many websites being hacked back in August, we say too many because the developer didn’t promptly fix a vulnerability that was being exploited for some inexplicable reason. It probably then isn’t surprising that as we improve our Plugin Security Checker, an automated tool that you can use to check if plugins you use have possible security issues that should be further looked into, that Ultimate Member keeps getting flagged for additional possible security issues.

So far it has already flagged a reflected cross-site scripting (XSS) vulnerability, another reflected cross-site scripting (XSS) vulnerability, and a cross-site request forgery (CSRF)/remote code execution vulnerability. [Read more]

30 Nov 2018

Vulnerability Details: Authenticated Open Redirect in Ninja Forms

We started the week out mentioning the issue of authenticated open redirects in popular plugins and it looks like we haven’t been the only ones look into this recently, as version 3.3.19.1 of the very popular Ninja Forms, which has 1+ million active installations according to wordpress.org, had this as its changelog entry:

[Read more]

28 Nov 2018

Vulnerability Details: Authenticated Open Redirect in Nifty Coming Soon & Maintenance page

Two days ago we full disclosed an authenticated open redirect vulnerability in the plugin Google Maps Widget, it turns out the developer has other plugins that shared the same issue as another of their plugins, Nifty Coming Soon & Maintenance page, was updated yesterday and one of the changelog entries is “minor vulnerability removed”. Looking the changes made in that version we found the same issue being fixed.

[Read more]

27 Nov 2018

Vulnerability Details: Authenticated Open Redirect in Minimal Coming Soon & Maintenance Mode

Yesterday we full disclosed an authenticated open redirect vulnerability in the plugin Google Maps Widget, it turns out the developer has other plugins that shared the same type of issue as another of their plugins, Minimal Coming Soon & Maintenance Mode, was updated today and the changelog entries is “wp_redirect() vulnerability fix”. Looking the changes made in that version we found it was modified to fix the same type of issue.

[Read more]

27 Nov 2018

Vulnerability Details: Authenticated Open Redirect in Under Construction

Yesterday we full disclosed an authenticated open redirect vulnerability in the plugin Google Maps Widget, it turns out the developer has other plugins that shared the same issue as another of their plugins, Under Construction, was updated today and one of the changelog entries is “wp_redirect() vulnerability fix”. Looking the changes made to the plugin we found that several hours after version 3.25 was released it was modified to fix the same issue.

[Read more]

26 Nov 2018

Our Plugin Security Checker Now Identifies the Possibility of Vulnerabilities Like This One in a WordPress Plugin with 100,000+ Installs

We often find that the various things that we do lead to improvements in other things we do. That just came up in something that we started looking into while working on a security review of a WordPress plugin chosen by our customers that has led to an improvement in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. While looking at code in the plugin we were checking over for one reason we noticed the possibility of an open redirect vulnerability might be in the code, because of the specifics of the code that seems unlikely to be exploited, but it doesn’t look like the code was actually being used (which has been a reoccurring thing we have noticed when looking at possible vulnerable code recently). An open redirect vulnerability allows a request to one page to be redirected to an arbitrary URL, which is something spammers have been known to abuse. After seeing that code we got the idea of possibly adding a check for code similar to our Plugin Security Checker.

In doing due diligence before adding that code we took a look over the 1,000 most popular plugins available in the Plugin Directory to see what the check might pick up. We found that over 10 plugins were flagged by that. In many case it looks like those plugins should actually being using a different function that would avoid the issue. Let’s look at an example where we confirmed that there is in fact a vulnerability, though only exploitable against anyone logged in to WordPress. That would limit its usefulness to spammer, but it could be used to disguise that a hacker is trying to get a logged in user to click a link that takes them to another website that in turns causes that logged in user to exploit another vulnerability without intending it. [Read more]

16 Jun 2017

Vulnerability Details: Authenticated Open Redirect in WordPress Download Manager

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]