Login

Tag Archives: Import users from CSV with meta

28 Jun 2019

Closures of Very Popular WordPress Plugins, Week of June 28

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed and it has been reopened. [Read more]

21 Jun 2019

Cross-Site Request Forgery (CSRF)/Media Deletion Vulnerability in Import users from CSV with meta

One of the changelog entries for the latest version of Import users from CSV with meta is “XSS problem fixed when displaying data imported thanks to lckjack who reports it”, while looking to see if there was a vulnerability related to that we should be notifying the customers of our service about if they use that plugin, we found a vulnerability we could confirm still exists. It turns out the plugin’s functionality for deleting files uploaded through it isn’t properly secured, so an attacker could cause logged in Administrators to delete any WordPress media files without intending it.

The plugin registers the function that handles that to be accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]

18 Mar 2019

Vulnerability Details: CSRF/XSS in Import users from CSV with meta

The changelog entry for the latest version of Import users from CSV with meta is “Security fixes to prevent Reflected Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF), thanks to Application Security for reporting”. Looking at the changes made in that version we confirmed that a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability was fixed in that version. That isn’t the first time someone has reported CSRF vulnerability in the admin functionality, as we did that related to other functionality in September of 2016. Looking further we found that they still didn’t fully resolve the issues with that, which we will detail in a follow up post.

[Read more]

2 Sep 2016

Authenticated Media Deletion Vulnerability in Import users from CSV with meta

One frequent source of security issues being discovered these days is lack of proper restriction on who can access in functions that are made accessible through WordPress’ AJAX functionality. By default those functions are accessible to anyone who is logged in to WordPress, even though the functions are often intended to only accessible to high level users. For many websites where there is only a single Administrator account or small amount of trusted users these vulnerabilities don’t pose a risk, but for plugins that are intended to be used in environments where that isn’t the case it is more of a concern. One such plugin is Import users from CSV with meta, which allows for importing thousands of users quickly.

As of version 1.9.4.6, the plugin made the function acui_delete_attachment() available through the AJAX functionality in the file /import-users-from-csv-with-meta.php here: [Read more]

2 Sep 2016

Cross-Site Request Forgery (CSRF)/User Import Vulnerability in Import users from CSV with meta

Recently we have been taking a quick look over plugins that handle importing users into WordPress for security issues, since their functionality could be useful to hackers.

In looking over the Import Vulnerability in Import users from CSV with meta plugin we found that as version 1.9.4.6 the plugin did not include protection against cross-site request forgery (CSRF) for requests to imports users. So if you could get a logged in administrator to access a page you control you could cause them to create new users with the Administrator role that they can then access. [Read more]