30 Jul

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in The Brand New WordPress Plugin GA Top Posts

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a restricted file upload vulnerability in the brand new plugin GA Top Posts.

The plugin registers the function ga_save_settings() to be accessible through WordPress AJAX functionality to those logged in to WordPress as well as those not logged in: [Read more]

26 Jul

Vulnerability Details: Restricted File Upload in rtMedia for WordPress, BuddyPress and bbPress

This post provides the details of a vulnerability in the WordPress plugin rtMedia for WordPress BuddyPress and bbPress not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

01 Jul

Vulnerability Details: Arbitrary File Upload in Insert or Embed Articulate Content into WordPress

This post provides the details of a vulnerability in the WordPress plugin Insert or Embed Articulate Content into WordPress not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

22 Mar

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Sooqr Search

Much like what we found with the plugin the plugin Analytics-Gtag earlier this week, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a restricted file upload in the plugin Sooqr Search, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

The plugin registers the function sooqr_save_javascript() to run during admin_init: [Read more]

20 Mar

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability Being Added to Analytics-Gtag

When it comes to our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities usually the code getting flagged by that is deep inside of other code, so confirming there is a vulnerability requires a bit of work. That wasn’t the case with the code added to the latest version of the plugin Analytics-Gtag that creates a restricted file upload vulnerability, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

The new version of the plugin adds a file named creator.php, which will take the value of the GET input “param4”: [Read more]

04 Feb

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Accessibility Suite by Online ADA 

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a restricted file upload vulnerability in the plugin Accessibility Suite by Online ADA that would allow an attacker to write arbitrary content to file on the website. The file has a .png extension, so the vulnerability could be directly used to upload image the attacker wanted, it could also be combined with a local file inclusion (LFI) vulnerability to cause arbitrary code to run on the website.

Since our Plugin Security Checker checks for the same type of code, it will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]

11 Dec

Vulnerability Details: Restricted File Upload in Woocommerce Pay.nl Payment Methods

This post provides the details of a vulnerability in the WordPress plugin Woocommerce Pay.nl Payment Methods not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

04 Oct

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in VendorFuel

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used to try to spot the possibility of those, most of the vulnerabilities found so far have come from only two of those. Recently though another one of those caught a vulnerability in the plugin VendorFuel that allows anyone to rewrite the contents of a .css file that is part of the plugin.

The code that causes that is at the beginning of the file /admin-pages/styling.php: [Read more]

20 Dec

Vulnerability Details: Restricted File Upload Vulnerability in Gallery by BestWebSoft

While looking into what hackers might be targeting plugin Sharexy, we took a look at what appeared to be related request to see if a file that previously had existed in the plugin Gallery by BestWebSoft was on our website. The file requested was /wp-content/plugins/gallery-plugin/upload/php.php, which has been claimed to have an arbitrary file upload vulnerability as of version 3.06. Though at least by our definition that isn’t true because the extension of the files that could be uploaded through that file is limited.

The file /upload/php.php defines what extension uploaded files can have with the following line: [Read more]

27 Oct

Restricted File Upload Vulnerability in Social Articles

Back in June and July we ran into an odd situation where there was supposed to have been a vulnerability fixed in the plugin WP Job Manager, but what is supposed to be the issue was still possible with the plugin. That supposed issue involved some form of abuse of the plugin’s image upload capability, but the change made simply restricted uploading images through WordPress’ AJAX functionality when not logged in to WordPress, but by default those not already with WordPress accounts on the website can still upload images files. The developer’s explanation for the action they took doesn’t really make sense, but out of this it did provide an indication that people with bad intentions will abuse the ability to upload image files. That capability to upload image files could also be used in conjunction with a local file inclusion (LFI) vulnerability, so making sure that those that are not intended to upload image files can’t upload them is a good idea.

All that brings us to the plugin Social Articles, which came on to our radar because code in it was noticed during our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. That picked up the possibility that there was an arbitrary file upload vulnerability in the plugin. When we went to look into that we found the plugin’s code would restrict files that could be uploaded to ones that had one of the following image extensions: gif, jpeg, jpg, or png. So there wasn’t an arbitrary file upload vulnerability, but in looking in to that we found that the plugin was allowing people not intended to upload files to do that. [Read more]