Certain types of plugins are inherently more of a security concern because their intended functionality involves actions that hackers frequently attempt to exploit, so if something is wrong with their security it is likely the plugin will be exploited. That doesn’t mean that people developing them are going to be very careful in coding them or that the public using them is going to do any checking, as can be seen with the plugin CYSTEME Finder. The plugin, which has 7,000+ active installs according to wordpress.org, provides a file manger in WordPress, which allows uploading files and viewing the content of files. We see vulnerabilities in those two types of functionality frequently targeted by hackers, with vulnerabilities in upload functionality much more likely to successfully exploited and leading to a website being hacked.

Recently someone under the handle T0w3ntum looked at the plugin and found that it contained arbitrary file upload and arbitrary file viewing vulnerabilities, as of version 1.3. The vulnerabilities existed due to the plugin not making properly restricting access to the upload and file viewing functionality. In looking over the changes made to fix those in version 1.4, we were troubled by the odd choice of security code and found an additional vulnerability. In the changelog entry for 1.4 sates that the was a security fix involving “use of PHP session rather than REQUEST vars”. That didn’t sound like the type of change we would expect to fix this type of vulnerability in a WordPress plugin. Looking at the changes made it didn’t change our view. Instead of checking that requests to the plugin are made by someone who should be able to, by using WordPress functions, they are checking a PHP session. While it looks to have fix the vulnerabilities, not using the WordPress functionality specifically designed for this, would make of us wary of using such a plugin. [Read more]