13 Jul

Image Upload Capability in WordPress Plugin Being Abused

The security industry has more than its fair share of snake oil and hucksters, which seems like it can be explained in part due to the fact that people that don’t know and or care about security can make claims that those more knowledgeable would never make.  For example, somebody that has a basic understanding of security wouldn’t claim their WordPress security plugin “stops you from getting hacked” because a WordPress plugin would not have any chance of stopping certain types of attacks (yet somehow the most popular plugin makes this claim). Not only is security extremely complicated, but things are frequently changing, so you need to keep adjusting as new threats come about and existing ones change. Along those lines we thought it important to share something we ran across yesterday about the abuse of a popular plugin’s intended functionality.

One of the ways we keep track of plugin vulnerabilities out there is by monitoring the WordPress Support Forum for threads that might be relevant. Through that, this week have added three newly disclosed vulnerabilities that exist in the most recent version of their respective plugins, including one in a plugin with 1+ million active installs, to our data set,. Those are vulnerabilities you won’t find in any other source of WordPress plugin vulnerabilities data due to no one else doing the kind of extensive monitoring we do. Through that monitoring we also came across a report of abuse of the image upload capability in the plugin WP Job Manager.

That relates to a post we wrote just about a month ago looking in to a claim that a vulnerability in the plugin had been fixed that had allowed website defacements due to those not logged in to WordPress being able to upload images through the plugin’s AJAX functionally. The claim didn’t really make a lot of sense for two reasons. First we didn’t understand how uploading an image could allow a website to be defaced in normal circumstances. But more importantly we didn’t understand how the change made was supposed to fix the issue since by default those that didn’t already have a WordPress accounts could still upload images through the plugin.

The thread we ran across indicates the abuse of that image upload capability, but not for website defacement, at least in any way we have heard the term used before. Here is how an impacted user explained it in a series of posts:

We have seven websites running WP JOB MANAGER plugin and all have been infected and one even blocked by the domain registrar!!

Please, we need an urgent solution to this.

How were the websites “infected”:

In all cases it was either gif or jpg.

This triggered some strange security warning from some security company and one domain even got blocked based on this (until I removed the file).

Also my host was warned.

So what were the images being used for:

The uploaded file is a phishing/spam use and our site gets the responsibility.

Very dangerous! I hope there is a solution for this.

Or a way to turn off image upload? Not like many employers are even using it.

The plugin is developed by Automattic, the company closely associated with WordPress, and the response from one of the developers doesn’t seem to reassuring about their ability to handle complex issues:

@gstar@rogier1988@etheos sorry for the slow response here. Yes, there was a vulnerability reported and we updated the plugin immediately after some discussion. The update was release 29 days ago. Here is the changelog with a link to the issue:

https://github.com/Automattic/WP-Job-Manager/blob/master/changelog.txt

I added an announcement and sticky post about this on the forum which can be found here: https://wordpress.org/support/topic/wp-job-manager-1-26-2-released/

Can you please check the version of WPJM you are running and confirm to us which version you are using. If you are using 1.26.2 and there is a new vulnerability we need to get that sorted out.

As we mentioned before, the change made in that version didn’t seem to resolve an issue since by default those that didn’t already have a WordPress accounts could still upload images through the plugin. This seems like a good time to remind people that we are always available to provide free help to developers dealing with security issues in their plugins, seeing as if we were contacted about the issue we would have pointed this out at the time.

The problem with this type of issue is that the activity of uploading image is intended, so ideally you would try to stop it from being abused without hindering its intended use. In the case of this plugin, one plausible solution that sounds like it could limit the abuse is to resize large images to the smaller size they are actually shown by the plugin, but for other plugins it might be more difficult.

13 Jun

Automattic Seems More Committed to Marketing Their Jetpack Service Than to a Safer WordPress Experience

For years WordPress has been knowingly leaving websites at risk of being hacked due to a refusal to warn when plugins are in use that known to be vulnerable and have been removed from the Plugin Directory due to that fact. Considering the damage that is caused by this and there not being any reasonable argument for not warning people, at times when removed plugins have been widely exploited we have started to wonder if this might not be due to gross negligence, but if there might be a more nefarious explanation.

The company closely associated with WordPress, Automattic, does have a several products marketed as security products, Jetpack and VaultPress, so allowing websites to be hacked to help those services could be an explanation, though we highly doubt it. That being said Automattic doesn’t seem to have the best interest of the public when it comes to security. For example, they have helped other security companies in pushing the false notion that there are many brute force attacks against WordPress admin logins, which takes the focus away from real security threats like unfixed vulnerable plugins.

While looking for something for another post we ran across something that relates to the issue of those removed plugins. On the Jetpack website they have a set of pages on the security of WordPress plugins named the WordPress Security Library. There they give the public information that WordPress has been refusing to. For example, they warn that plugin Form Lightbox is unsafe:

 

 

That refers to an option update vulnerability that exists in that plugin.

In explaining these pages in another in this section of the page, there is the following text:

About this information


This WordPress security information is part of our security library and is brought to you by Jetpack as part of our committment to a safer WordPress experience.

If you have any questions, please do not hesitate to contact us.

What isn’t mentioned there (as is so often is the case) is the source of that data, which is pretty clearly the WPScan Vulnerability Database. If you follow our blog, you would already be aware of the serious issues that come with the use of that source. As example of that, the plugin Downloads Manager is listed as being “Good” and the “current version safe”:

There is an indication there that it might not be, as they are not showing the name of the plugin instead its slug, “downloads-manager”, which seems to be because the plugin has been removed from the Plugin Directory. The reason for that is that the most recent version of the plugin has an arbitrary file upload vulnerability, which we discovered after we saw hackers targeting the plugin. That vulnerability isn’t in WPScan Vulnerability Database, as is the case with many very exploitable vulnerabilities we have discovered and publicly disclosed.

Even when WPScan has data on a vulnerability the Jetpack website isn’t always accurately presenting it (this seems to be a frequent issue with services and products reusing their data). For the plugin Delete All Comments they also list it as being “Good” and the “current version safe” despite the fact that they list a vulnerability being in up to version 2.0, which is the most recent version:

 

So Automattic is presenting bad information to those looking at this section of the website, but what makes this all the more troubling is that right below the “Safety Recommendations” section of these pages is two sections advertising their service:

So their commitment seems less to the safety of WordPress, seeing as they haven’t joined us in trying to finally get WordPress to warn about removed vulnerable plugins, and more to promoting their service using someone else’s data without disclosing that.

It is also worth noting that if their “Regular, automated scans of your site for malware, threats, and hacks.” are also using the WPScan Vulnerability Database’s data then you their customers are going to be unaware of many vulnerabilities, like the one in Downloads Manager, so if you are actually interested in protecting against vulnerable plugins then you should at least install the companion plugin for our service, since we list in the free data that comes with that, vulnerabilities like the one in Downloads Manager. For more complete data, as well the ability to vote/suggest plugins to receive a security review from us and helping us to further improve the security of WordPress plugins, sign up for our service.