07 Oct

What Security Review? Brand New WordPress Plugin Contains Authenticated Arbitrary File Upload Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the brand new plugin Word Of The Day, which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it possibly contained an arbitrary file upload vulnerability, which is a type of vulnerability likely to be exploited. In reviewing this we found that it does contain authenticated variant of that, which can also be exploited through cross-site request forgery (CSRF).

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have also long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]

15 Aug

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Maintenance

The plugin Maintenance was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a couple of  less serious ones related to a more serious one. Through cross-site request forgery (CSRF) it would be possible for an attacker to cause arbitrary files to be uploaded as well as malicious JavaScript code to be saved to the plugin’s settings. There also appear to be additional security issues in the plugin.

The plugin’s admin page is accessible to those with manage_options capability, which normally only Administrators have: [Read more]

31 Jul

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Being Introduced in to uListing

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability being introduced in to the plugin uListing, which can also be exploited through cross-site request forgery (CSRF). The vulnerability occurs in code handled through WordPress’ REST API, which is increasingly a vector through which vulnerabilities in WordPress plugins are accessible. (We have included checking over functionality running through the REST API in our security reviews of WordPress plugins since earlier this year due the prevalence of issues.)

The plugin registers the function upload_file() to be accessible through WordPress REST API as part of new import/export functionality: [Read more]

22 Jul

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Arbitrary File Upload in WP SVG Icons

This post provides the details of a vulnerability in the WordPress plugin WP SVG Icons not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

01 Jul

Vulnerability Details: Arbitrary File Upload in Insert or Embed Articulate Content into WordPress

This post provides the details of a vulnerability in the WordPress plugin Insert or Embed Articulate Content into WordPress not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

28 Jun

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in the WordPress Plugin MapSVG Lite

If you were already using our service you would know that the plugin MapSVG Lite isn’t secure as there was unfixed vulnerability disclosed at the beginning of the year. If you were relying on other data sources there is good chance you wouldn’t know that since the ultimate source of a lot of those, the WPScan Vulnerability Database, claims that it was fixed:

[Read more]

11 Jun

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in a WordPress Security Plugin

When it comes to WordPress security plugins, not only do they often not provide much, if any, security against threats that really impact a website, but they can actually introduce security vulnerabilities of their own. That is the case with the plugin LionScripts: IP Blocker Lite, which is described as:

LionScripts IP Blocker for WordPress allows you to block the malicious IP Addresses, Spammers and Hackers [Read more]

05 Jun

Vulnerability Details: Authenticated Arbitrary File Upload in Crelly Slider

This post provides the details of a vulnerability in the WordPress plugin Crelly Slider not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

29 Jan

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in a WordPress Plugin with 70,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a less serious variant of an arbitrary file upload vulnerability in a plugin with 70,000+ installs, Slider by 10Web. The vulnerability could allow an attacker that could get a logged in Administrator to access a page they control to upload a malicious file to a website and then they could take any action they wanted with the website.

What makes the vulnerability notable in a way is that the functionality with the vulnerability is present as being disabled in the free version of the plugin: [Read more]

03 Dec

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in Security Related WordPress Plugin

A few weeks ago we full disclosed a fairly serious vulnerability in a security plugin with 70,000+ installs designed to log WordPress user activity (probably in large due part to the people on the WordPress side of things, that vulnerability hasn’t been fixed so far), through our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we run across another logging plugin, WatchMan-Site7, that has a vulnerability of its own. Through the vulnerability an attacker that could get a logged in Administrator to access a page they control could cause a malicious file to be uploaded on the website and from they could almost anything with the website.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). [Read more]