18 Oct

Not Really a WordPress Plugin Vulnerability, Week of October 18

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross Site Scripting in FooGallery, Popup Builder, and Soliloquy

Related claimed cross site scripting vulnerabilities in the plugins FooGallery, Popup Builder, and Soliloquy involve a common cause of false reports of persistent cross-site scripting (XSS) vulnerabilities, people not understanding that WordPress allows users with the unfiltered_html capability to do the equivalent of XSS. In this case if you follow the instruction you find that you are entering the XSS code in the title of a custom WordPress post, which is permitted to happen for users with the unfiltered_html capability, but is not permitted for those without that. [Read more]

26 Feb

Hackers Are Probably Already Exploiting This Authenticated Option Update Vulnerability Just Fixed in Freemius

On Sunday we had probing on our website for usage of the plugin WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.

As part of our daily monitoring of subversion log messages from the WordPress Plugin Directory for mentions of security fixes, we found that 10 plugins had mentions of security fixes yesterday, which is way out of line with what we normally see and hinted that there might be a common issue between the plugins. As we started trying to figure out what was going on, we noticed that many of them were updating a third-party library Freemius, which is described as  a”[m]onetization, analytics, and marketing automation platform”. In looking in to that we noticed that Freemius was citing WP Security Audit Log as using their library. With one of those plugins, looking at the changes made, we saw the possibility that a major vulnerability had been fixed. Further checking confirmed that an authenticated option update vulnerability was fixed, which would allow anyone with access to a WordPress account to take over a website and is a type of vulnerability hackers have tried to exploit widely in the past so there is likely to be plenty of attempts due to this. [Read more]

01 Nov

Full Disclosure of Authenticated XSS Vulnerability in WordPress Plugin With 100,000+ Installs

One of the elements of the inappropriate behavior of the moderators of the WordPress Support Forum that has lead us to full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up has been to delete messages about vulnerabilities in WordPress plugins while doing nothing to get them fixed. We don’t know how they think this is a good idea since it just limits getting things fixed, which is what is the important thing to do about vulnerabilities, while not actually hiding the vulnerabilities.

Sometimes things get even odder, as once again we ran across the moderator Steven Stern (sterndata) delete a topic well after it would even seem to do much, if any, good. The last time we ran across them doing that it probably slowed down getting a vulnerability fixed that was claimed to be being exploited already (but likely wasn’t actually being exploited). If it was really already being exploited then the horse is already well out of the barn and by the time they deleted it, the topic had been up for a couple of days, so others had plenty of time to have seen it, which would make getting it fixed quickly what should have been focused on instead of making that harder. In this instance they deleted a topic on something that isn’t even really a vulnerability, as the developer had explained at the time, over a month after it was posted. What good they think that will do to delete that we don’t know. Before we realized that we had actually seen the earlier claims and concluded there really wasn’t an issue, we went to see what might be at issue with the plugin and found a real vulnerability. So their action is actually causing a real vulnerability to be full disclosed, which is exactly the kind of counterproductive behavior the moderators excel in. [Read more]