01 Aug

What Happened With WordPress Plugin Vulnerabilities in July 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

This month the most concerning vulnerability is a PHP object injection vulnerability in Product Reviews, since that type of vulnerability is likely to be exploited and the vulnerability hasn’t been fixed yet.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 702,300+ active installs:

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of the new vulnerabilities that were fixed this month are relatively minor.

31 Jul

PHP Object Injection Vulnerability in Product Reviews

We recently started proactively monitoring for evidence of some high risk vulnerabilities being in WordPress plugins when changes are made to the plugins. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware of them (unlike other types of vulnerabilities that security companies are known to overstate the impact of). Through that we came across a PHP object injection vulnerability in the plugin Product Reviews.

The plugin’s function EWD_URP_Update_Karama() is made available through WordPress’ AJAX functionality to those logged in to WordPress or those not logged in (in the file /Functions/Process_Ajax.php):

79
80
add_action('wp_ajax_urp_update_karma', 'EWD_URP_Update_Karama');
add_action('wp_ajax_nopriv_urp_update_karma', 'EWD_URP_Update_Karama');

That function takes the value of the cookie “EWD_URP_Karma_IDs” and unserializes it, which would allow PHP object injection:

62
63
64
65
66
67
68
69
70
71
72
73
74
function EWD_URP_Update_Karama() {
    $Path = ABSPATH . 'wp-load.php';
    include_once($Path);
 
    $Review_ID = $_POST['ReviewID'];
    $Direction = $_POST['Direction'];
 
    $Karma = get_post_meta( $Review_ID, 'EWD_URP_Review_Karma', true );
 
    if ($Direction == 'down') {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma - 1 );}
    else {update_post_meta( $Review_ID, 'EWD_URP_Review_Karma', $Karma + 1 );}
 
    $EWD_URP_Karma_IDs = unserialize(stripslashes($_COOKIE['EWD_URP_Karma_IDs']));

The unserialization of that cookie also occurs in the function EWD_URP_Display_Review() in the file /Shortcodes/SelectReview.php.

We notified the developer of the issue a week ago and haven’t heard back from them and no changes have been made to the plugin. We notified them of a less serious vulnerability in another of their plugins a month and half ago, which still hasn’t been resolved.

If you were using our service you would have already been warned about the vulnerability in the other plugin if you were impacted and would be notified shortly about this one as well as having us available to work with you to decide how best to protect against it.

Proof of Concept

Make the object to be injected the value of the cookie “EWD_URP_Karma_IDs” and then visit http://[path to WordPress]/wp-admin/admin-ajax.php?action=urp_update_karma (Make sure to replace “[path to WordPress]” with the location of WordPress).

You can use our PHP objection injection test plugin to make testing this proof of concept easier.

Timeline

  • July 24, 2017 – Developer notified.