Tag Archives: Cherry Plugin – Plugin Vulnerabilities

13 Sep 2016

When an Old Vulnerability Gets a New Vulnerability Report

As part of preparing an upcoming enhancement to the service, we have recently been taking a look at what traffic to our website indicates as to what hackers are targeting. Through that we noticed a connection between the existence of YouTube videos on exploiting vulnerabilities and what vulnerabilities are getting exploitation attempts. In the past few days we have seen a pickup in requests for pages on our website relating to the plugin Cherry Plugin. In looking for any recent mentions of vulnerabilities in this plugin we found a Youtube video showing how to exploit an arbitrary file upload vulnerability in it and an report on that vulnerability.

We had actual already looked at the report when it was released several days ago as part of our monitoring of various vulnerability database websites. In a reminder as to the low quality of many of these reports, the report list the “version” as being 3.8, which could not refer to the plugin’s version since the most recent version is 1.2.8.2. The vulnerability being reported was actually disclosed and fixed more than a year and half ago, which isn’t mentioned in the report. Since the plugin is not available through the Plugin Directory the normal update mechanism for plugins doesn’t come in to play and there is more chance that someone would still have an outdated version and vulnerable version installed at this time. [Read more]

30 Jun 2016

Wordfence’s Firewall Doesn’t Protect Against a Real World Stored XSS Vulnerability

Last week we wrote a couple of posts about Wordfence, the second one was based on a claim we noticed while working on the first. That leads to this post, which is based on a claim we saw while working on the second post.

In a post about vulnerability in a plugin from earlier this month (in which the discoverer of the vulnerability conspicuously wasn’t mentioned) Wordfence said people using their product were already protected against that vulnerability “because Wordfence has built in protection against stored XSS attacks”. That unqualified claim that there product can protect against such a broad type of vulnerability doesn’t sound like something you would hear from a responsible security company and when it comes to this type of vulnerability, which we refer to as persistent cross-site scripting (XSS), it sounded unbelievable. [Read more]

30 Jun 2016

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Cherry Plugin

As we continue looking at ways we can improve the security of WordPress plugins, one of the thing we are trying is checking over plugins that we have recently added new vulnerabilities to our data set to see if we can find any other obvious vulnerabilities. The third we have spotted is in the plugin Cherry Plugin.

We recently added two vulnerabilities to our data set that existed in older version of the plugin, which were caused by having code that was only intended to be used by Administrator level users accessible to anyone (you didn’t even have to be logged in). The vulnerability we found shows that the developers still are having problems with properly restricting access in the plugins. In this case the function cherry_mtc_save(), which is located in the file /includes/plugin-assets.php, is made accessible to any logged in user through an AJAX request. Since it is also only used through the Maintenance Mode page for the plugin, which is only accessible to Administrators, the function should have restrictions to prevent lower level users from accessing it. That isn’t the case: [Read more]

22 Jun 2016

Old Vulnerability Report: Arbitrary File Viewing Vulnerability in Cherry Plugin

One of the things that we do to keep track of the plugin vulnerabilities out there is to monitor hacking attempts on our websites. That sometimes leads us to finding what looks to be exploitation of vulnerabilities that a hacker has just discovered. In other cases it shows really old vulnerabilities that hackers are still trying to exploit. We have recently had some attempts to exploit a couple of vulnerabilities in older versions of the plugin Cherry Plugin. One was an arbitrary file upload vulnerability mentioned here and the other was an arbitrary file viewing vulnerability that we couldn’t find any prior mention of.

In version 1.2.6 and below the file /admin/import-export/download-content.php will serve up the contents of any file requested. It looks like that functionality was intended to be only accessible by admins, but there were no restrictions in place to prevent anyone else from accessing it. [Read more]