04 Nov

Recently Closed WordPress Plugin with 70,000+ Installs Contains Authenticated Persistent XSS Vulnerability

The plugin Easy Columns was closed on the WordPress Plugin Directory on Sunday of last week. That is one of the 1,000 most popular plugins with 70,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) after looking at results that our Plugin Security Checker produced for the plugin.

An example of that issue involves the plugin’s ezcol_1quarter shortcode, which calls the function one_quarter(): [Read more]

27 Aug

Our Plugin Security Caught the Reflected XSS Vulnerability Missed in Easy Registration Forms

The changelog for the latest version of Easy Registration Forms “Security improvement.” When we looked at the changes made in that version to see if there was a vulnerability should be adding the data set for our service what we saw was that insecure code being changed should have been flagged by our Plugin Security Checker, an automated tool that can identify some possible issues in WordPress plugins, if someone had run the plugin through that. In comparing the results of the tool for the previous version of the plugin versus the changes made, we found that only two of three instances of it flagged by the tool had been fixed. One possible explanation is the developer was inadvertently fixing a vulnerability when making an unrelated security improvement.

With the developer mode of the Plugin Security Checker enabled this line of code is still flagged by the tool in the new version of the plugin: [Read more]

20 Aug

Our Plugin Security Checker Now Warns About Usage of Outdated/Insecure Usage of Redux Framework

We are currently working on a security review of a fairly popular WordPress plugin that we were hired by the developer to do. While working on that we have found a number of issues with the Redux Framework, which is a third-party library for handling the settings of WordPress plugins. We also noticed that it would be easy enough to add a check to our Plugin Security Checker to see if outdated versions of that are included in plugins being run through that tool, unlike a lot of third-party libraries, which don’t include a version number anywhere. While it might make sense to warn about usage of an outdated version, an outdated version is not necessarily insecure. In looking over the changelog of that we noticed the changelog for version 3.5.8.7 is:

Fixed: Reflective XSS security fix. Thanks to Kacper Szurek for the information. [Read more]

13 Aug

Reflected Cross-Site Scripting (XSS) Vulnerability in Import Social Events

One of the changelog entries for the latest version of Import Social Events is “IMPROVEMENT: Some Security Improvements.” Looking at the changes made we saw that sanitization was being added in a number of locations. The first instances of that though didn’t have any security impact, so we ran the previous version of the plugin through our Plugin Security Checker tool to see if it flagged any possible issues. That flagged the code below as possibly being vulnerable, which we then confirmed. Looking at the changes made that wasn’t fixed.

We also noticed that similar code on the next line after the vulnerable code could also lead to a vulnerability and wasn’t flagged by tool. We made improvement to the tool that will now catch that in the future. [Read more]

07 Aug

Open Redirect Vulnerability in JSON API

In looking over some of the instances where plugins have been run through our Plugin Security Checker tool and have been flagged for possibly containing open redirect vulnerabilities what we have usually found that these lead to vulnerabilities of that are limited in scope, say the redirect can only occur for logged in Administrators. With the plugin JSON API, which someone checked with the tool recently, there isn’t any restriction.

The plugin registers the function template_redirect() to run during template_redirect, so when frontend pages load: [Read more]

22 Jul

Our Plugin Security Checker Caught an Authenticated Open Redirect Vulnerability in Breeze

Our Plugin Security Checker allows anyone to check for the possibility of some instances of security vulnerabilities in WordPress plugins. While the tool is something we would describe as being far from advanced in what it can do, with the current state of security with WordPress plugins it has been able to spot vulnerabilities even in fairly popular plugins. That is the case with the plugin Breeze, which has 70,000+ installs, where it flagged the possibility of an open redirect vulnerability, which a quick check confirmed was an authenticated variant of that, which makes it of limited concern, though it is something that could have been easily avoided.

The tool identified the following two lines of code as possibly leading to an open redirect: [Read more]

18 Jul

Outputting $_SERVER[‘PHP_SELF’] Without Escaping Isn’t Safe for WordPress Plugins

One of the frustrating aspect of dealing with the security of WordPress plugins is that so often people seem to be unwilling to learn from their mistakes. The people running the Plugin Directory, for example, seem to be creating their own reality to avoid even acknowledging their mistakes. We work hard to avoid mistakes, but when they happen we are happy to learn from them and improve what we are doing.

We recently made a mistake. In looking in to the possibility that a vulnerability had been fixed in a plugin we got things wrong and wrote this: [Read more]

17 Jul

Our Plugin Security Checker Caught a Reflected XSS Vulnerability in Export User Data

Our Plugin Security Checker allows anyone to check for the possibility of some instances of security vulnerabilities in WordPress plugins. We recently have been making some improvements to it is ability to detect the possibility of reflected cross-site scripting (XSS) vulnerabilities, which led to us checking over some of the code flagged recently by the tool for that issue to see how the changes have impacted the quality of the results. Through that we found that the plugin Export User Data, which has 20,000+ installs, contains that type of vulnerability.

Our tools flag this line of code in the plugin’s file export-user-data.php: [Read more]

30 May

Authenticated Open Redirect Vulnerability in Paid Memberships Pro

One ongoing indication of the poor security of WordPress plugins is how often our Plugin Security Checker, which is an automated tool for identifying some possible security issues with plugins, is picking up vulnerabilities in fairly popular plugins. We would not describe the tool as being advanced by any means, so that being true is not a great indication of the handling of plugins’ security. In looking over some of the recent results for plugins in the Plugin Directory that were checked through that to see if could further improve its results we found that the plugin Paid Memberships Pro, which has 80,000+ active installations according to wordpress.org, contains an authenticated open redirect vulnerability.

That is a type of vulnerability that isn’t really a concern in terms of being exploited on the average website, but it is something that looks like it could have easily been avoided. You can check the plugins you use to see if they are possibly impacted by a similar issue or a number of other issues through the tool for free. [Read more]

01 Mar

Our Plugin Security Checker Now Checks For Usage of Versions of Freemius with the Authenticated Option Update Vulnerability

To make it easy for those without a lot of technical skills to check if plugins are impacted by the authenticated option update that exist in older versions of the Freemius library we have updated our Plugin Security Checker so that when plugins that include a vulnerable version of that are checked there will be a warning about that.

While that would usually mean the vulnerability is exploitable through the plugin, we oddly found that in one of the 1,000 most popular plugins, Ultimate Social Media PLUS (Social Share Icons & Social Share Buttons), the library is included, but its usage has been disabled for 8 months. For some reason even with a serious vulnerability being found in the library, they haven’t removed the library from their plugin, but they did promptly update to the fixed version of Freemius. [Read more]