Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Arbitrary File Deletion

24 Nov 2021

Closed WordPress Plugin With 90,000+ Installs Contains Authenticated Arbitrary File Deletion Vulnerability

Today, the WordPress plugin Advanced Contact form 7 DB (Advanced CF7 DB) was closed on WordPress Plugin Directory. Because that being one of the 1,000 most popular plugins in that directory (it has 90,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a vulnerability that allows anyone logged in to WordPress can delete arbitrary files from the website.

We tested and confirmed that our new firewall plugin for WordPress protected against the proof of concept below, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. [Read more]

5 Oct 2021

The MStore API WordPress Plugin Also Contains an Authenticated Arbitrary File Deletion Vulnerability

Earlier today an unfixed arbitrary file upload vulnerability in the WordPress plugin MStore API  was disclosed through release of exploit code for it. While the information provided with the exploit code claims the vulnerability impacts 2.0.6 and “possibly higher”, the vulnerability actually didn’t exist in that version, but does exist in the latest version of the plugin (information on which versions of the plugin are impacted is included in the data provided by our service). Earlier today the developer made a change that looks like it was an attempt to fix this, while not raising the version number of the plugin, so anyone already using the latest version of the plugin wouldn’t be provided with the attempted fix. That doesn’t matter much, as the change doesn’t fix the issue, just makes exploiting a bit more complicated.

As of posting this, the plugin remains in the WordPress Plugin Directory despite the plugin having a publicly known vulnerability that is of a type hackers are very likely to exploit. [Read more]

7 Nov 2019

Our Proactive Monitoring Caught an CSRF/Arbitrary File Deletion Vulnerability in a WordPress Plugin with 70,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/arbitrary file deletion vulnerability in the plugin Backup Guard, which has 70,000+ installs. Despite being that popular, it doesn’t look like the security of the code has been well reviewed as the code that causes that lacks two basic security components. There are look to be additional security issues related to that insecurity, so we wouldn’t recommend using the plugin unless a thorough security review (like we do as part of our service and as a separate service) is done.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool flags the possibility of other issues in this plugin as well. [Read more]

11 Sep 2019

What Security Review? Brand New WordPress Plugin Contains CSRF/Arbitrary File Deletion Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the plugin Prevent Files / Folders Access, which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it contains a cross-site request forgery (CSRF)/arbitrary file deletion vulnerability.

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have also long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]

30 Aug 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Deletion Vulnerability Being Introduced in to Ovic Addon Toolkit

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file deletion vulnerability being introduced in to the plugin Ovic Addon Toolkit, which can also be exploited through cross-site request forgery (CSRF).

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

22 Oct 2018

Vulnerability Details: CSRF/Arbitrary File Deletion Vulnerability in WP BackItUp Community Edition

From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that lead to that so that we can provide our customers with more complete information on the security of plugins they use.

[Read more]

16 Apr 2018

Vulnerability Details: Authenticated Arbitrary File Deletion Vulnerability in Woo Import Export

From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]