Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Arbitrary File Upload

12 Oct 2021

Our Proactive Monitoring Caught Another Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability, as it was being introduced in to the plugin INK Official. That was the second time we caught that type of vulnerability being introduced in to a plugin in less than a week.

Based on the insecurity leading to this vulnerability, there may be additional security issues and vulnerabilities. [Read more]

8 Oct 2021

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability, as it was being introduced in to the plugin SCORM Cloud For WordPress.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

10 Sep 2021

Does a Fabulist Explain Why The Security Reviews of New WordPress Plugins Are Not Happening?

August 13th the WP Tavern, which is owned by WordPress and Automattic head Matt Mullenweg, published a post written by Sarah Gooding that presented an inaccurate view of the state of the security of WordPress plugins. The post was about a report based in part on data from a security company named WPScan that has been inflating the number of vulnerabilities in WordPress plugins they claim to be aware of. The story didn’t address that inflation, but instead put forward this claim to explain what is actually being caused, at least largely, by that inflation:

Both Wordfence and WPScan claim that the greater number of vulnerabilities reported this year is indicative of the growth of the WordPress ecosystem and a maturing, healthy interest in security. Themes and plugins aren’t getting more insecure over time but rather there are more people interested in discovering and reporting vulnerabilities. [Read more]

21 Jul 2021

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in One of 10Web’s Plugins

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/arbitrary file upload vulnerability in the plugin 10WebEcommerce. The developer of that plugin, 10Web, also offers what they claim is the “Most Trustable WordPress Security Service”, despite this not being the first time we have run in to a vulenrability in one of their plugins recently.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

2 Mar 2020

Hackers May Already Be Targeting This Authenticated Arbitrary File Upload Vulnerability in WP Ultimate CSV Importer

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website yesterday for the plugin WP Ultimate CSV Importer by requesting these files:

  • /wp-content/plugins/wp-ultimate-csv-importer/assets/css/deps/csv-importer-free.css
  • /wp-content/plugins/wp-ultimate-csv-importer/wp-ultimate-csv-importer.md

Like the previous plugins we discussed last week that appear to be targeted by this campaign, the plugin is very insecure. The most serious vulnerability we noticed in that would probably be an authenticated arbitrary file upload vulnerability. [Read more]

7 Oct 2019

What Security Review? Brand New WordPress Plugin Contains Authenticated Arbitrary File Upload Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the brand new plugin Word Of The Day, which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it possibly contained an arbitrary file upload vulnerability, which is a type of vulnerability likely to be exploited. In reviewing this we found that it does contain authenticated variant of that, which can also be exploited through cross-site request forgery (CSRF).

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have also long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]

15 Aug 2019

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Maintenance

The plugin Maintenance was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a couple of  less serious ones related to a more serious one. Through cross-site request forgery (CSRF) it would be possible for an attacker to cause arbitrary files to be uploaded as well as malicious JavaScript code to be saved to the plugin’s settings. There also appear to be additional security issues in the plugin.

The plugin’s admin page is accessible to those with manage_options capability, which normally only Administrators have: [Read more]

31 Jul 2019

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Being Introduced in to uListing

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability being introduced in to the plugin uListing, which can also be exploited through cross-site request forgery (CSRF). The vulnerability occurs in code handled through WordPress’ REST API, which is increasingly a vector through which vulnerabilities in WordPress plugins are accessible. (We have included checking over functionality running through the REST API in our security reviews of WordPress plugins since earlier this year due the prevalence of issues.)

The plugin registers the function upload_file() to be accessible through WordPress REST API as part of new import/export functionality: [Read more]

22 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Arbitrary File Upload in WP SVG Icons

The plugin WP SVG Icons was closed on the WordPress Plugin Directory on Saturday. Due to it being one of the 1,000 most popular, with 50,000+ installs, we were alerted to the closure. By the time we went to check to see if there were any security issues in the plugin a new version had already been submitted to fix a cross-site request forgery (CSRF) vulnerability that allows uploading arbitrary files. There are still a couple of very minor CSRF vulnerabilities that appear to still be unfixed and some other possible security issues.

[Read more]

1 Jul 2019

Vulnerability Details: Arbitrary File Upload in Insert or Embed Articulate Content into WordPress

One area where WordPress plugins need to be very careful when it comes to security is handling file uploads. The plugin Insert or Embed Articulate Content into WordPress hasn’t been doing that and it seems the developer doesn’t have the capability to handle that.

[Read more]