See issues causing the plugin to get less than A+ grade
One of the changelog entries for the latest version of the WordPress plugin Photo Gallery is “Fixed: Open Redirect and XSS Reflected vulnerability.” While the open redirect vulnerability wasn’t fixed, we confirmed that a reflected cross-site scripting (XSS) vulnerability was indeed fixed.
…
One of the changelog entries for the latest version of the WordPress plugin Photo Gallery is “Fixed: Open Redirect and XSS Reflected vulnerability.” Looking at the changes made in that version and then doing some testing, we found that the open redirect vulnerability hasn’t been fixed.
…
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.
Automattic’s WPScan made this claim about a supposed admin+ stored cross-site scripting vulnerability in the plugin Photo Gallery: [Read more]
Last week a new version of the WordPress plugin Photo Gallery was released that had a couple of changelog entries indicating that vulnerabilities might have been fixed in it. As at least one of our customers was using the plugin, we took a look over the changes made and found they appeared to be duplicating existing security in places, which was confusing.
…
Last week a new version of the WordPress plugin Photo Gallery was released that had a couple of changelog entries indicating that vulnerabilities might have been fixed in it. As at least one of our customers was using the plugin, we took a look over the changes made and found they appeared to be duplicating existing security in places, which was confusing.
…
One of the realities when it comes to security surrounding WordPress is that many companies market themselves as caring about security while not really caring about it. Sometimes they even join forces.
Yesterday we mentioned one security provider Patchstack, in the context of they and their Red Team not having a basic understanding of WordPress security. While looking more into Patchstack we found that last week they announced a partnership with 10Web. The claims made by 10Web in that announcement are in direct conflict with what we have seen from them in trying to work with them to fix a security vulnerability in one of their plugins, and what we have seen of Patchstack. We also found that at least one more of their plugins, with 300,000+ installs, also contains the same vulnerability we have tried to work with them to fix in one of their plugins. [Read more]
Earlier today we detailed a vulnerability for our customers in a plugin by 10Web/TenWeb/Web-Dorado, where, while the vulnerability was fixed, the code still wasn’t properly secured. So that made what we then found while looking into the possibility that a vulnerability had also been fixed in their Photo Gallery (Photo Gallery by 10Web) plugin not all that surprising. While trying to confirm that there had been authenticated persistent cross-site scripting (XSS) vulnerability that had been fixed in the plugin we got an error message that indicated there was and we then confirmed still is an authenticated local file inclusion (LFI) vulnerability in the plugin. It really isn’t a great sign as the security of WordPress plugins that you can accidentally run into a vulnerability in a plugin with 300,000+ installs (according to wordpress.org).
The error message indicated that user input from a shortcode generated through the plugin was being passed in to the following line of code in the file /frontend/controllers/controller.php through the variable $view: [Read more]
One of the changelog entries for a new version of the plugin Photo Gallery (Photo Gallery by 10Web) released yesterday is “Fixed: Authenticated stored XSS.”. Looking at the changes made in that version it appears that refers to a change made in the plugin’s shortcode functionality. In testing this out we found that previously, logged in users could create new shortcodes for the plugin that included malicious JavaScript, so there was an authenticated persistent cross-site scripting (XSS) vulnerability.
…
In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. We have been thinking that providing information on why those are not included in our service’s data could be useful, so we are trying out putting a weekly post detailing those issues.
The title of the report, “Path traversal in Photo Gallery may allow admins to read most files on the filesystem” seems to explain the issue well as only Administrators (or more accurately those with the “manage_options” capability) were able to take advantage of the issue and normally not only could they edit the plugin to remove protection against the issue, but they also could just install another plugin that could do what the issue in this plugin would have allowed. [Read more]