One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated PHP object injection vulnerability being introduced in to the plugin Blog2Social: Social Media Auto Post & Scheduler, which can also be exploited through cross-site request forgery (CSRF).
With WordPress plugins that should have obvious heightened security risk we have often found that the security is poor, maybe even poorer that the average plugin. The authenticated PHP object injection vulnerability we ran across in the plugin Backup and Staging by WP Time Capsule is a good example of that insecurity.
On Friday there was a security change made related to PHP object injection to one of the most popular WordPress plugins, Formidable Forms, which has 200,000+ installs. The relevant code seemed to be something that should have been flagged by our Plugin Security Checker and proactive monitoring, but we found that it wasn’t due to usage of an alternate function to what is usually used with vulnerable code. Its usage is so uncommon that according to a search of all the plugins in the WordPress Plugin Directory using WPdirectory it was only one of three with the same basic set up. One of the other plugins was Backup and Staging by WP Time Capsule. At first glance the code in that plugin looked like it would of limited security concern, but further checking showed multiple security failures allow anyone logged in to WordPress that can access the admin area is able to exploit it. [Read more]
As we have mentioned repeatedly in the past, while brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory, that either isn’t happening or it isn’t very good, as we keep finding brand new plugins that contain vulnerabilities that the possibility of is flagged by our Plugin Security Checker, an automated tool for checking for the possibilities of some security issues in WordPress plugins. We have offered the team the running the Plugin Directory free access to the more advanced mode of that tool to assist them in avoiding that happening (or help in creating similar functionality in their own workflow), but we have had no interest from them. They unfortunately seem more interested in covering up the problems they are having (and in some cases causing) instead of working with others like us to get them fixed.
Our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities includes many of the same checks as the Plugin Security Checker, so in the case of the plugin Newsletter Subscription Plugin for easyping.me they both flag the possibility of a PHP object injection vulnerability, which is the type of vulnerability that hackers have been known to exploit. [Read more]
Yesterday we noted that the developer of the WordPress security plugin Security Ninja plugin isn’t doing a great job with the security of their plugins. In the latest example, they could have spotted an issue before we are publicly disclosing it by simply checking the plugin with our Plugin Security Checker, which identifies possible security issues in WordPress plugins. While looking into the details of another instance of them fixing a vulnerability we had identified in one of their plugins while working on an improvement to the Plugin Security Checker, this time with the plugin Nifty Coming Soon & Maintenance page we ran the plugin through our tool and saw that it got flagged for possibly including a vulnerable version of the plugin Option Tree:
With our service we cover WordPress plugins (as you might guess from our name), but not WordPress themes. There are a number of reasons for that, including the dearth of vulnerabilities being disclosed in themes, which seems to be related to the limited amount of potentially vulnerable code in them despite it being possible for them to contain all the same types of issues as plugins. We got a reminder of that when we did a check over some of the most popular themes available in the WordPress Theme Directory against the checks we do of changes being made to plugins as part of our proactive monitoring to try to catch serious vulnerabilities before they are exploited and a few other checks. The proactive monitoring checks didn’t pull up anything, but one of the other checks brought up the fact that the theme Hueman , which has 70,000+ active installs according to wordpress.org, contains the plugin OptionTree.
Last week disclosed that OptionTree contains an authenticated PHP object injection vulnerability after noticing its usage in another plugin. With the theme Hueman the situation is somewhat worse since it isn’t even using the latest version of OptionTree, which means that it is also still vulnerable to a vulnerability that was discovered by Kacper Szurek and was fixed over two years ago. [Read more]
This post provides the details of a vulnerability in the WordPress plugin Portfolio X not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did some checks over the 1,000 most popular WordPress plugins to get a better idea of usage of code of similar code there might be out there. That led to us finding an authenticated PHP object injection vulnerability in the security plugin WP Security Audit Log, which has 70,000+ active installations according to wordpress.org.
That a security plugin can have a fairly serious vulnerability speaks to the one of the problems we see with the security industry’s ability to meet the needs of the public. On the one hand the average website, which shouldn’t need security products and services, are being sold ones that don’t work well at best. At the same time those websites that genuinely need advanced security tools are unable to get ones that work well and or they introduce security risks of their own. This plugin falls into the latter category both in that it is something that could be of useful for some websites, but also something that is introducing additional security risk. [Read more]
This post provides the details of a vulnerability in the WordPress plugin Infographic Maker iList not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
This post provides the details of a vulnerability in the WordPress plugin Slider Hero not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.
The second plugin we noticed it in is Simple Link Directory. That plugin includes OptionTree in the directory “option-tree” and when this plugin is active it loads OptionTree with this line in the plugin’s main file: [Read more]