Login

Tag Archives: Plugin Security Checker

14 Nov 2023

Using Our Plugin Security Checker to Find a Reflected XSS Vulnerability Patchstack Claimed Was in a Plugin

We have been seeing a reoccurring issue recently where WordPress plugin developers are having users of the plugins being asked if they are going to fix vulnerabilities that a WordPress security,Patchstack, has claimed are in their plugins. The developers are responding, accurately, that Patchstack hasn’t provided any details on what the issue is supposed to be. That obviously makes it difficult to address things if there really is a vulnerability, or to otherwise refute the claim. A recent instance of that involved a claim of a reflected cross-site (XSS) in the plugin WP Bannerize Pro.

Here are the “details” Patchstack provided: [Read more]

11 Feb 2022

Our Plugin Security Checker Warned of Misuse of esc_sql() in WordPress Plugin That Leads to SQL Injection Vulnerability

One of the things we offer to help people keep their WordPress websites protected from vulnerabilities in WordPress plugins is our Plugin Security Checker, which flags the possibility of some instances of security issues in plugins.

To continue to improve the results being produced by that, we occasionally check issues being flagged by that when people run plugins from the WordPress plugin directory through that. Recently the plugin Code Manager was run through that. One of the issues identified was the possible misuse of the esc_sql() function: [Read more]

4 Nov 2019

Recently Closed WordPress Plugin with 70,000+ Installs Contains Authenticated Persistent XSS Vulnerability

The plugin Easy Columns was closed on the WordPress Plugin Directory on Sunday of last week. That is one of the 1,000 most popular plugins with 70,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) after looking at results that our Plugin Security Checker produced for the plugin.

An example of that issue involves the plugin’s ezcol_1quarter shortcode, which calls the function one_quarter(): [Read more]

27 Aug 2019

Our Plugin Security Caught the Reflected XSS Vulnerability Missed in Easy Registration Forms

The changelog for the latest version of Easy Registration Forms “Security improvement.” When we looked at the changes made in that version to see if there was a vulnerability should be adding the data set for our service what we saw was that insecure code being changed should have been flagged by our Plugin Security Checker, an automated tool that can identify some possible issues in WordPress plugins, if someone had run the plugin through that. In comparing the results of the tool for the previous version of the plugin versus the changes made, we found that only two of three instances of it flagged by the tool had been fixed. One possible explanation is the developer was inadvertently fixing a vulnerability when making an unrelated security improvement.

With the developer mode of the Plugin Security Checker enabled this line of code is still flagged by the tool in the new version of the plugin: [Read more]

20 Aug 2019

Our Plugin Security Checker Now Warns About Usage of Outdated/Insecure Usage of Redux Framework

We are currently working on a security review of a fairly popular WordPress plugin that we were hired by the developer to do. While working on that we have found a number of issues with the Redux Framework, which is a third-party library for handling the settings of WordPress plugins. We also noticed that it would be easy enough to add a check to our Plugin Security Checker to see if outdated versions of that are included in plugins being run through that tool, unlike a lot of third-party libraries, which don’t include a version number anywhere. While it might make sense to warn about usage of an outdated version, an outdated version is not necessarily insecure. In looking over the changelog of that we noticed the changelog for version 3.5.8.7 is:

Fixed: Reflective XSS security fix. Thanks to Kacper Szurek for the information. [Read more]

13 Aug 2019

Reflected Cross-Site Scripting (XSS) Vulnerability in Import Social Events

One of the changelog entries for the latest version of Import Social Events is “IMPROVEMENT: Some Security Improvements.” Looking at the changes made we saw that sanitization was being added in a number of locations. The first instances of that though didn’t have any security impact, so we ran the previous version of the plugin through our Plugin Security Checker tool to see if it flagged any possible issues. That flagged the code below as possibly being vulnerable, which we then confirmed. Looking at the changes made that wasn’t fixed.

We also noticed that similar code on the next line after the vulnerable code could also lead to a vulnerability and wasn’t flagged by tool. We made improvement to the tool that will now catch that in the future. [Read more]

7 Aug 2019

Open Redirect Vulnerability in JSON API

In looking over some of the instances where plugins have been run through our Plugin Security Checker tool and have been flagged for possibly containing open redirect vulnerabilities what we have usually found that these lead to vulnerabilities of that are limited in scope, say the redirect can only occur for logged in Administrators. With the plugin JSON API, which someone checked with the tool recently, there isn’t any restriction.

The plugin registers the function template_redirect() to run during template_redirect, so when frontend pages load: [Read more]

22 Jul 2019

Our Plugin Security Checker Caught an Authenticated Open Redirect Vulnerability in Breeze

Our Plugin Security Checker allows anyone to check for the possibility of some instances of security vulnerabilities in WordPress plugins. While the tool is something we would describe as being far from advanced in what it can do, with the current state of security with WordPress plugins it has been able to spot vulnerabilities even in fairly popular plugins. That is the case with the plugin Breeze, which has 70,000+ installs, where it flagged the possibility of an open redirect vulnerability, which a quick check confirmed was an authenticated variant of that, which makes it of limited concern, though it is something that could have been easily avoided.

The tool identified the following two lines of code as possibly leading to an open redirect: [Read more]

18 Jul 2019

Outputting $_SERVER[‘PHP_SELF’] Without Escaping Isn’t Safe for WordPress Plugins

One of the frustrating aspect of dealing with the security of WordPress plugins is that so often people seem to be unwilling to learn from their mistakes. The people running the Plugin Directory, for example, seem to be creating their own reality to avoid even acknowledging their mistakes. We work hard to avoid mistakes, but when they happen we are happy to learn from them and improve what we are doing.

We recently made a mistake. In looking in to the possibility that a vulnerability had been fixed in a plugin we got things wrong and wrote this: [Read more]

17 Jul 2019

Our Plugin Security Checker Caught a Reflected XSS Vulnerability in Export User Data

Our Plugin Security Checker allows anyone to check for the possibility of some instances of security vulnerabilities in WordPress plugins. We recently have been making some improvements to it is ability to detect the possibility of reflected cross-site scripting (XSS) vulnerabilities, which led to us checking over some of the code flagged recently by the tool for that issue to see how the changes have impacted the quality of the results. Through that we found that the plugin Export User Data, which has 20,000+ installs, contains that type of vulnerability.

Our tools flag this line of code in the plugin’s file export-user-data.php: [Read more]