Tag Archives: Disc Golf Manager – Plugin Vulnerabilities

What Happened With WordPress Plugin Vulnerabilities in April 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during April (and what you have been missing out on if you haven’t signed up yet):

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.

Cross-site request forgery (CSRF)/PHP object injection vulnerability in WP Docs, discovered by us

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show.

Notably this month a couple of plugins with a combined 150,000+ active installations haven’t been fixed but other data sources all incorrectly list them as being fixed.

Cross-site request forgery (CSRF) vulnerability in Custom Permalinks, discovered by us
Arbitrary file deletion vulnerability in Google Drive for WordPress (wp-google-drive), discovered by Lenon Leite
PHP object injection vulnerability in Disc Golf Manager, discovered by us
Authenticated arbitrary file deletion vulnerability in Woo Import Export, discovered by Lenon Leite
Cross-site request forgery (CSRF)/arbitrary file deletion vulnerability in Woo Import Export, discovered by Lenon Leite
Arbitrary file deletion vulnerability in WP Pipes, discovered by Lenon Leite
Arbitrary file viewing vulnerability in WP with Spritz, discovered by Wadeek
Persistent cross-site scripting (XSS) vulnerability in WP Live Chat Support, discovered by Luigi Gubello
Persistent cross-site scripting (XSS) vulnerability in Caldera Forms, discovered by Federico Scalco

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month.

Local file inclusion (LFI) vulnerability in Simple Fields, discovered by ?
Authenticated cross-site scripting (XSS) vulnerability in My Calendar, discovered by Luigi Gubello
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in My WordPress Login Logo, discovered by ?
Cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in RatingWidget, discovered by ?
Cross-site request forgery (CSRF)/PHP object injection vulnerability in WP Docs, discovered by us
Settings change vulnerability in WP Image Zoom, discovered by Tom Adams of dxw
Cross-site request forgery (CSRF)/settings change vulnerability in WP Image Zoom, discovered by Tom Adams of dxw
Information disclosure vulnerability in RatingWidget, discovered by Tom Adams of dxw
Settings change vulnerability in Like Button Rating ♥ LikeBtn, discovered by Tom Adams of dxw
Information disclosure vulnerability in WP Security Audit Log, discovered by Colette Chamberland
Reflected cross-site scripting (XSS) vulnerability in Relevanssi, discovered by Stefan Broeder

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in a Another Brand New Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, Disc Golf Manager, and should have been something that the security review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to the upload and developer mode capabilities to facilitate that.

The vulnerability occurs in function flashProcess() in the file /main.php where the value of the cookie “disc_golf_flash” is passed through the unserialize() function, which can lead to PHP object injection:

4043
4044
4045

function flashProcess() {
	if(isset($_COOKIE[$this->key . '_flash'])) {
		$temp = unserialize(base64_decode($_COOKIE[$this->key . '_flash']));

That function will run anytime a WordPress page is being accessed:

3811	add_action('init', array($this, 'flashProcess'));

We notified the developer of the issue a week ago. We haven’t heard back from them and no new version has been released to fix the issue. In line with our disclosure policy, which is based on the need to provide our customers with information on vulnerabilities on a timely basis, we are now disclosing this vulnerability.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, set the value of the cookie “disc_golf_flash” to “TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=” and then when you visit a page on the webiste the message “PHP object injection has occurred.” will be shown.

Timeline

April 9, 2018 – Developer notified.