Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS)

22 Aug 2019

GDPR Plugins for WordPress Continue to Be Insecure

The European Union’s General Data Protection Regulation (GDPR) is a data protection law that when it comes to WordPress websites is causing them to be less secure, not because of the law itself, but because the plugins for dealing with that haven’t been properly secured. In October of last year we noted that the plugin WP DSGVO Tools (GDPR) contained a PHP object injection vulnerability, which then remained in the plugin for two more months. The plugin was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service we found the possibility of one of those, though the relevant code that makes it operational looks to only be available in the commercial version of the plugin. We did confirm a less serious related vulnerability exists.

With just the vulnerability we confirmed there are multiple pretty obvious security problems, so there likely are more security issues with the plugin. [Read more]

15 Aug 2019

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Maintenance

The plugin Maintenance was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a couple of  less serious ones related to a more serious one. Through cross-site request forgery (CSRF) it would be possible for an attacker to cause arbitrary files to be uploaded as well as malicious JavaScript code to be saved to the plugin’s settings. There also appear to be additional security issues in the plugin.

The plugin’s admin page is accessible to those with manage_options capability, which normally only Administrators have: [Read more]

9 Aug 2019

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Social LikeBox & Feed

The plugin Social LikeBox & Feed was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a cross-site request forgery (CRSF)/cross-site scripting (XSS) vulnerability.

The plugin registers its admin page to be accessible by Administrators: [Read more]

8 Aug 2019

This Authenticated Persistent XSS Vulnerability Might Be What Hackers Are Targeting PPOM for WooCommerce For

One of the things we seem to be unique in doing is monitoring for hackers probing for usage of WordPress plugins before exploiting vulnerabilities in them. That is despite other security companies claiming to be doing the same and them needing to do that to be able to prevent exploitation. Today through that we saw probing for the plugin PPOM for WooCommerce with requests for these files from it:

  • /wp-content/plugins/woocommerce-product-addon/readme.txt
  • /wp-content/plugins/woocommerce-product-addon/js/script.js
  • /wp-content/plugins/woocommerce-product-addon/css/ppom-style.css

As is often the case with plugins that hackers are probing for, the plugin has been quite insecure. When we started looking over the plugin to see if there was a vulnerability that we should be warning customers of our service using the plugin of, we found that a fairly serious vulnerabilities had been partially fixed several weeks ago. But when we started looking to see if the same type of fix had been implemented elsewhere we found one part of the code is still completely vulnerable. It leads to an authenticated persistent cross-site scripting (XSS) vulnerability, which would allow an attacker with a low level WordPress account the ability to malicious JavaScript to be displayed on at least admin pages of the website. That is a type of vulnerability that has been popular with hackers recently. Since the plugin extends WooCommerce and WooCommerce by default allows the public access to WordPress accounts, which increases the ability to exploit this. [Read more]

29 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in Animate It!

The changelog entry for two of the three latest releases of the plugin Animate It! are “Security fixes for XSS related vulnerability.”, though neither of them look to have actually fixed a vulnerability. The most recent version’s changelog is “Security related fixes.” and that version actually fixed a vulnerability connected with the code being changed in the previous two releases. The vulnerability could allow an attacker to cause someone logged in to WordPress as an Administrator to cause malicious JavaScript code to be displayed on admin pages.

[Read more]

17 Jul 2019

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in HubSpot All-In-One Marketing – Forms, Popups, Live Chat

Yesterday a new version the WordPress plugin HubSpot All-In-One Marketing – Forms, Popups, Live Chat, which has 80,000+ installs, came on to our radar as there were a couple of seeming security related entries in the changelog for that version:

  • Fix comment escaping
  • Sanitize inputs

As part of collecting data for our service, so that we can inform our customers if plugins they use contain vulnerabilities we started looking into the changes. The very first change made was to change a line of code from this: [Read more]

16 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in WP Ultra simple Paypal Cart

A report by JPCERT/CC credits the discovery of a cross-site request forgery (CSRF) vulnerability in WP Ultra simple Paypal Cart to Mike Castro Demaria. The changelog for the version it appears that should be fixed in indicates something a bit different:

[Read more]

15 Jul 2019

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in Email Subscribers & Newsletters

One of the changelog entries for the latest version of Email Subscribers & Newsletters is “Fix: Fixed Vulnerability”. Looking at the changes made in that version at first glance, we thought it might be fixing a vulnerability we disclosed in April, but that wasn’t the case. What we subsequently found is that what appears to be an attempt to fix a vulnerability hadn’t been successful, due to two different security failures. While one of those failures would be somewhat understandable normally, the developer markets their plugins with this claim:

[Read more]

15 Jul 2019

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Project Supremacy Lite (Project Supremacy V3 Lite)

As part of making sure we are providing the users of our service with the best information on vulnerabilities in WordPress plugins they may be using we monitor for indications that security vulnerabilities have been fixed in new versions of the plugins. Today that led to us looking at Project Supremacy Lite (Project Supremacy V3 Lite) where the changelog for the latest version is “Added some security fixes.” The changes made in that version look to be escaping the output of the plugin’s settings. Normally the lack of that wouldn’t be a vulnerability because only Administrators are allowed to change the settings and they can do anything they want with WordPress already. When we went to check to see if that was the case with this plugin we found that anyone logged in to WordPress can change the plugin’s settings and one of those settings is intended to be used to place JavaScript code on all of the frontened pages of the website, which would lead to an authenticated persistent cross-site scripting (XSS) vulnerability.

The plugin registers the function that handles saving the plugin’s setting, saveGeneral() to anyone logged in to WordPress: [Read more]

8 Jul 2019

Recently Closed WordPress Plugin With 400,000+ Installs Contains Another Authenticated Persistent XSS Vulnerability

Back in April we ran across an authenticated persistent cross-site scripting (XSS) vulnerability in WP Google Maps after our monitoring of the WordPress Support Forum to keep track of publicly known vulnerabilities that have been in plugins customers of our service might be using, led to us coming across a claim that WPEngine was claiming there was an XSS vulnerability in it. That vulnerability remained in the plugin for two months after that and the team running the Plugin Directory apparently wasn’t concerned that a plugin with 400,000+ installs was known to be vulnerable. When it was fixed it turns out it wasn’t part of a larger security improvement.

On Friday the plugin was closed on the Plugin Directory with no explanation why that was (later on the developer says it was closed due to emails bouncing, which would be a good reason to indicate why the plugin was closed, since even they didn’t know). As we do with all very popular plugins that are closed, we then took a look over the security of it, since it appears that hackers have been doing that, so we want to keep our customers ahead of hackers instead of leaving them to be hacked as so many security services do. One of the first thing we did was to go back the code we found was vulnerable before and see if there were any other similar issues still in the plugin. What we found is that by just scrolling down to next function after the one that we identified was vulnerable before, we found the same type of vulnerability still exists. [Read more]