Recently we ran the plugin Bitcoin Faucet through our automated tool for checking over the security of WordPress plugins and it identified a possible reflected cross-site scripting vulnerability (XSS) in the plugin:
As we continue our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, it is important to remember that if we didn’t do full disclosure of these vulnerabilities they would still be there in the plugins and still a security risk. In fact there are currently plenty of easy to spot vulnerabilities in popular plugins, case in point is the vulnerability we are fully disclosing today, which is a reflected cross-site scripting (XSS) vulnerability in the plugin Feed Them Social that the possibility of its existence was detected by our, far from advanced, automated tool for detecting plugin vulnerabilities, the Plugin Security Checker. That plugin, which has 70,000+ active installs according to wordpress.org, was recently run through the tool and during our continuing audits of the results from that we checked on the results for the plugin.
Recently the plugin Quiz And Survey Master, which has 20,000+ active installs according to wordpress.org, was run through our Plugin Security Checker tool and as part of our continued focus on improving the results produced by the tool we happened to take a look at some of the possible issues identified in it. One of those possible issues was reflected cross-site scripting (XSS) vulnerability in the plugin due to user input being directly output without any escaping.
One of the problems we have found with the WordPress Support Forum is that there is unproductive and inconsistent deletion of claims about the security of plugins. In an instance from just a couple of days ago a thread was deleted which mentioned an unfixed vulnerability in the plugin File Manager, deleting that doesn’t make much sense to us since it would be easy for someone with bad intentions to do same monitoring that we do and have spotted that thread before it was deleted, while deleting makes it harder for those with good intentions to find out about it. For us seeing it, not only lead to us noticing a related vulnerability in the same code, but it also led to a new check for our Plugin Security Checker to make it easier for similar issues to the one we noticed to be caught and fixed going forward, leading to better security for WordPress plugins, which unfortunately the moderators of the WordPress Support Forum don’t seem to be all that interested in based on the actions they take and their shutting down any conversion about whether those actions are productive.
In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny recently the plugin Ultimate Member, which has 100,000+ active installs according to wordpress.org, was run through the tool and it identified a possible reflected cross-site scripting (XSS) vulnerability in the plugin.
In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny when we ran the plugin WP Google Map Plugin through the tool to check to see if it would have spotted a recently fixed reflected cross-site scripting (XSS) vulnerability in the plugin we found that the plugin still contained another vulnerability of the same type (it also would have identified the possibility of the previous vulnerability if it had been checked).
In continuing to work on improving our Plugin Security Checker, which does limited automated security checks of WordPress plugins (and is now accessible through a WordPress plugin of its own), we have been interested to see where it can already provide value over what is already being done to improve the security of plugins. We recently got what looks to be an example of it catching something that was missed by the team managing the Plugin Directory.
When we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October, one of the future enhancements we mentioned we were looking into was making the results available through our service’s companion plugin. After thinking it over we decided it would be better to create a separate plugin for that, so that way websites that use that the existing plugin that don’t have an interest in that functionally are not increasing the amount of code on their website and alongside that, the increased security risked that creates (that is something that makers of a lot security plugins look to have not considered in throwing in lots of different functionality in a single plugin, maybe not surprisingly there have been plenty of security vulnerabilities found in security plugins).
Since we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October we have had a lot of interest in that and it has brought in additional business for both our main service and our separate security reviews. That is good for us, but also for everyone using WordPress as it allows us to do more to improve the security of WordPress plugins (which it looks like we already doing much more than anyone else).