Login

Tag Archives: Reflected Cross-Site Scripting (XSS)

24 Jul 2019

Reflected Cross-Site Scripting (XSS) Vulnerability in Contact Form 7 – Dynamic Text Extension

While working on a security review of a WordPress plugin today we wanted to get a better idea if part of how the plugin is handling something was common, despite seeming problematic from a security standpoint. When we did a search using WPdirectory we saw it was a very common practice, but also with one of the most popular plugins flagged we saw what seemed to like a fairly obvious security vulnerability unconnected to that.  A quick check confirmed that the plugin, Contact Form 7 – Dynamic Text Extension, which has 100,000+ installs, has a reflected cross-site scripting (XSS) vulnerability. That isn’t a very serious vulnerability, but is something that seems like it should have been noticed considering that you don’t have to go any farther that the description of the plugin to see an indication that it might exist.

The plugin registers the shortcode “CF7_GET” to cause the function cf7_get() to run: [Read more]

23 Jul 2019

Vulnerabilty Details: Reflected Cross-Site Scripting (XSS) in WooCommerce Product Feed

Today a new CVE entry was added, CVE-2019-1010124, for the plugin WooCommerce Product Feed. The entry seems a bit odd as one of the links doesn’t work and the other is for a YouTube from just over a year ago. It also indicates that version “2.2.18 and earlier is affected by” the vulnerability. In line with the age of the video that is a rather out of date version of the plugin. Looking at the YouTube video it looked like what might be at issue is a reflected cross-site scripting (XSS) vulnerability and upon testing that out we found the plugin is still vulnerable.

[Read more]

18 Jul 2019

Outputting $_SERVER[‘PHP_SELF’] Without Escaping Isn’t Safe for WordPress Plugins

One of the frustrating aspect of dealing with the security of WordPress plugins is that so often people seem to be unwilling to learn from their mistakes. The people running the Plugin Directory, for example, seem to be creating their own reality to avoid even acknowledging their mistakes. We work hard to avoid mistakes, but when they happen we are happy to learn from them and improve what we are doing.

We recently made a mistake. In looking in to the possibility that a vulnerability had been fixed in a plugin we got things wrong and wrote this: [Read more]

17 Jul 2019

Our Plugin Security Checker Caught a Reflected XSS Vulnerability in Export User Data

Our Plugin Security Checker allows anyone to check for the possibility of some instances of security vulnerabilities in WordPress plugins. We recently have been making some improvements to it is ability to detect the possibility of reflected cross-site scripting (XSS) vulnerabilities, which led to us checking over some of the code flagged recently by the tool for that issue to see how the changes have impacted the quality of the results. Through that we found that the plugin Export User Data, which has 20,000+ installs, contains that type of vulnerability.

Our tools flag this line of code in the plugin’s file export-user-data.php: [Read more]

12 Jul 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Avartan Slider Lite

One of the changelog entries for a recent version of Avartan Slider Lite was “Fixed: Security issues” and then it was changed to “Fixed: minor bug fix” a week later. Looking at the changes made in that version there were many security related changes. We ran the previous version through our Plugin Security Checker to see if it would identify possible vulnerabilities which we could further look into. Through that we found that there was at least a reflected cross-site scripting (XSS) vulnerability fixed in the new version.

[Read more]

8 Jul 2019

The WPScan Vulnerability Database Keeps Telling People That Unfixed Vulnerabilities Have Been Fixed

Repeating a frequent recent pattern, once again when looking to see if the discoverer of a vulnerability in a WordPress plugin had put out a report on it we instead found a competing data source for data on vulnerabilities in WordPress plugins, the WPScan Vulnerability Database, claiming a vulnerability had been fixed, when it hadn’t. Compounding that problem, others repeated that claim, as they do with all of WPScan’s data, but without disclosing where the data is coming from or its well known quality control issues. This instance of that also is a good example of where security providers continuously looking to improve what they are doing, instead of continually failing in the same way, helps to improve other parts of what they are doing.

The changelog for the latest version of the plugin Gallery PhotoBlocks is “[Security] Fixed security issue”. Looking at the changes made in it we saw what looked to be fixing a reflected cross-site scripting (XSS) vulnerability. That should have been something that could have been detected by our Plugin Security Checker, which is a tool that allows checking WordPress plugins for the possibility of some instances of security issues. So we ran the previous version of the plugin through that to make sure it picked that up and found that there were two instances of that: [Read more]

8 Jul 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Feed Them Gallery

One of the changelog entries for the latest version of Feed Them Gallery is “NEW: Security Refactor of the whole plugin to stop XSS injections and other possibly malicious attempts to hack through the plugin.” The new version includes a lot of changes, so we ran the previous version of the plugin through Plugin Security Checker to see if it identified any possible cross-site scripting (XSS) vulnerabilities that we could then check to see if the new version had impacted. That identified multiple possible reflected XSS vulnerabilities all of which involved contained code that was replaced with more secure code in the new version.

[Read more]

3 Jul 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Simple Mail Address Encoder

One of the changelog entries for the latest version of Simple Mail Address Encoder is “Bugfix: Reflected XSS”. Looking at the changes made in that version we confirmed that a reflected cross-site scripting (XSS) vulnerability had been fixed.

[Read more]

1 Jul 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Essential Real Estate

Several of the recent Subversion log entries for the plugin Essential Real Estate are “Fix error Reflected XSS”. The plugin was closed on the Plugin Directory on Friday, possible due to that. Looking at the changes made we found there was escaping code added numerous places, so we ran the previous version of the plugin through our Plugin Security Checker toll to see if it would identity any possible of reflected cross-site scripting (XSS) that we could check to see if they were fixed. We found that the first possible instance identified by our tool was exploitable and was fixed in the new version.

[Read more]