26 Oct

The Need for More Systematic Reviewing of the Security of WordPress Plugins

Yesterday we full disclosed a PHP object injection vulnerability in the plugin Give, which has 50,000+ active installations according to wordpress.org. One of the ways that could be exploited is through cross-site request forgery (CSRF) and we noted the following in relation to that:

There is no check for a nonce to prevent CSRF before that occurs or it appears at all in that function, which might allow for other security issues. The plugin looks like it might be very insecure, which is exactly why the Plugin Security Checker’s limited checking can be so useful in identifying plugins that could use a more thorough review. [Read more]

25 Oct

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Plugin With 50,000+ Active Installs

One of the things we have found while looking at the results of our automated tool for identifying possible security issues in WordPress plugins, the Plugin Security Checker, is that minor possible vulnerabilities that it can identify can be good indications that there are broader issues with security in a plugin. That is the case with the plugin Give, which has 50,000+ active installations according to wordpress.org.

While looking over the 1,000 most popular WordPress plugins using some checks from the Plugin Security Checker we were alerted to a possible issue with this plugin. Unrelated usage of serialization in the code we were looking at then lead us to take a look if there might be any PHP object injection vulnerabilities in the plugin, which unlike the issue originally identified are fairly likely to be exploited. That quickly led to us identifying one that can be exploited by anyone logged in to WordPress or through cross-site request forgery (CSRF). [Read more]