600k WordPress Backup Plugin Claiming to Be “Easiest Way to Protect Your Website” Contains Decade Out of Date Insecure Library
Earlier this week someone checked the 600,000+ install WordPress plugin BackWPup through our Plugin Security Scorecard. That flagged a variety of issues including code that isn’t properly secured against reflected cross-site scripting, usage of security functions in a way that they provide no protection, and usage of an outdated version of a third-party library that contains five developer disclosed security issues:
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “CURLOPT_HTTPAUTH option not cleared on change of origin”. The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Change in port should be considered a change in origin”. The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Failure to strip the Cookie header on change in host or HTTP downgrade”. The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Fix failure to strip Authorization header on HTTP downgrade”. The plugin could be vulnerable due to that.
- The plugin contains a version of the third-party library Guzzle that the developer of the library says has a security issue labeled as “Cross-domain cookie leakage”. The plugin could be vulnerable due to that.
- User input is being directly output, which could lead to reflected cross-site scripting (XSS).
- The function filter_var() is used without a filter, so it doesn’t do any filtering.
- The PHP function filter_input() is used without a filter, so it doesn’t do any filtering.
- Base64 obfuscated content detected.
- The plugin doesn’t contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.
- The plugin isn’t listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.
- The plugin isn’t listing in a security.txt file where a software bill of materials (SBOM), which provides information on what third-party software is included in the plugin, can be found. That limits the ability to access the security of that third-party software.
The oldest of those security issues in the library was disclosed in May 2022. So the developer hasn’t updated the library in at least 3 years. It turns out it is even longer than that, as the version in use is 3.8.1, which was superseded in March 2014. [Read more]