01 Dec

What Happened With WordPress Plugin Vulnerabilities in November 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Paid customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

The most concerning vulnerabilities this month were a pair of arbitrary file upload vulnerability, one  in the first version of a plugin, which points to the need for changes to the security reviews that are supposed to be done before plugins can enter the Plugin Directory, and other in a plugin that has been removed from the Plugin Directory for an undisclosed reason.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 1,054,600+ active installs:

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. The most concerning of the bunch was an authenticated remote code execution (RCE) vulnerability in Shortcodes Ultimate as there exploitation attempts against it before it was fixed (some of them also used the shortcode execution vulnerability in Formidable Forms, though that may have only started being exploited after it was fixed).

27 Nov

Did the WordPress Plugin Directory Know That PHP Event Calendar Contains an Exploitable Vulnerability?

A day ago we had what looks to be a request from a hacker for a file that would be located at /wp-content/plugins/php-event-calendar/server/file-uploader/index.php. That would be a file in the plugin PHP Event Calendar. In the Plugin Directory the plugin “has been closed and is no longer available for download”, but no reason is given as to why that is.

In looking around we couldn’t find any public disclosure of a security issue related to that file.

Looking at the code in that file, /server/file-uploader/index.php, in the most recent version of the plugin it simple sets up an instance of the jQuery File Upload Plugin PHP Class library located in the file /server/file-uploader/UploadHandler.php:

13
14
15
16
17
error_reporting(E_ALL | E_STRICT);
require('UploadHandler.php');
 
$custom_dir = $_REQUEST['custom_dir'];
$upload_handler = new UploadHandler(array('upload_dir' => $custom_dir));

In the UploadHandler.php file there is no restriction placed on what type of files can be uploaded through it:

92
'accept_file_types' => '/.+$/i',

So any type of file can be uploaded through it, leading to an arbitrary file upload vulnerability.

Because WordPress continues to refuse to properly handle closed plugins like this, we have no idea if they have known about vulnerability and didn’t warn people about it or if the plugin was closed for some other reason.

Since this vulnerability is being exploited, we are adding the vulnerability to the free data that comes with our service’s companion plugin, so even those not yet using our service can be warned if they are using a vulnerable version of the plugin.

Worth noting here is that this vulnerability was introduced as a security fix, as the relevant changelog entry when it was added was:

Important security fix. Replace Uploadify with jQuery File Upload

As far as we can tell what they replaced was actually more secure and had been inaccurately labeled as leading to an arbitrary file upload vulnerability (as the types of files that could be uploaded were limited).

That change seems like a good example of where our idea of providing an ability for plugin developers to submit information to WordPress on security fixes and then allowing others to review the changes could help to improve security. In the meantime we continue to offer free help to developers dealing with security vulnerabilities (that is an offer that hasn’t been taken up outside of developers we have contacted to let them know of vulnerabilities we or others have discovered).

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/php-event-calendar/server/file-uploader/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/php-event-calendar/server/file-uploader/" method="POST" enctype="multipart/form-data">
<input type="file" name="files" />
<input type="submit" value="Submit" />
</form>
</body>