Login

Tag Archives: Security Tips For WordPress Plugin Developers

28 Apr 2017

Security Tip for Developers: Remove Testing Files from Third Party Libraries Included in Your Plugin

Every time you add additional code to a WordPress plugin (or any other software) you are adding more potentially insecure code. That includes third party libraries and other third party code. Earlier this week we looked at the details of a local file inclusion (LFI) vulnerability in the Booking Calendar plugin caused by its use of a file from another plugin (interestingly the vulnerability doesn’t look like it was every exploitable directly in the other plugin). In that case the file had not been updated in Booking Plugin after it was initially introduced in  to it, so while the original plugin’s code had been fixed 5 years ago, Booking Calendar remained vulnerable until weeks ago, which seems like a good reminder to keep third party code up to date.

While making sure that third party code in a plugin doesn’t contain any vulnerabilities would be rather difficult, something we ran across recently does seem to be an easy way to reduce the security risk that come from including them. While doing a security review of the plugin BackUpWordPress, which was selected to have that done by our customers, we found that the plugin had a minor vulnerability, a full path disclosure vulnerability. What is relevant here is that the file with the vulnerability was a testing file for a third party library included with the plugin, which didn’t appear to being used in the plugin. Testing files for third party libraries shouldn’t be something that normally is included in a plugin, since they won’t normally be used in that context and if someone had a need for them they can always add them themselves. [Read more]

25 Apr 2017

Security Tip for Developers: Avoid Using esc_sql() When Trying to Prevent SQL Injection Vulnerabilities

Two weeks ago there was discussion on our post detailing a vulnerability in the plugin Gallery – Video Gallery over the escaping method being used to fix a SQL injection vulnerability in the plugin. While the changes made look to have fixed the issue, they were less than ideal. Part of the issue was that instead of using a prepared statement to prevent the possibility of SQL injection the function esc_sql() was used. That is despite documentation for that that function making a pretty clear suggestion that it is not recommend in most situations:

In 99% of cases, you can use $wpdb->prepare() instead, and that is the recommended method. This function is only for use in those rare cases where you can’t easily use $wpdb->prepare(). [Read more]

24 Apr 2017

Security Tip for Developers: .htaccess Based Protection Won’t Work on All WordPress Websites

One of the ways we see plugin developers try to stop improper access to files generated by their WordPress plugin is to restrict direct access to the files over the Internet through the use of access restrictions placed in a .htaccess file (as the was the case with a vulnerability we disclosed last week). The problem with this is that this only works if the website is hosted on a web server that utilizes .htaccess files. While they are used by the most popular web server Apache, they are not used by the Nginx, which along with Apache is recommended for use with WordPress, or Microsoft’s IIS, which WordPress supports with its own release of WordPress.

It isn’t clear how widespread usage of different web servers is on websites running WordPress since the WordPress statistics page doesn’t include a breakdown of that. Looking wider, Netcraft found in April that 46% of active websites were using Apache, 20% using Nginx, and 9% were using IIS. [Read more]

20 Apr 2017

Security Tip for Developers: You Don’t Need to Restrict Direct Access to .php Files Twice

One of the items we check for during our security reviews of plugins selected by our customers is to see if the plugin’s .php files can be accessed directly when they are not intended to. While being able to access them directly when that isn’t necessary usually doesn’t have any security impact, it is easy to prevent that from happening and it could in some cases prevent serious issues, like a remote code execution (RCE) vulnerability we found being exploited in a security plugin last year.

Something we ran across recently in our monitoring of security changes made to plugins, which allows us to include data on vulnerabilities that you won’t find in other sources of WordPress plugin vulnerability data, indicates that developers implementing such protection don’t always understand what it is that they are implementing. [Read more]

16 May 2016

Security Tip for Developers: Make Sure To Check a User’s Capabilities When Processing an Admin AJAX Request

One common cause of security issues with WordPress plugins that we continue to see happening is a failure to properly check on whether a user should be able to use admin AJAX functions they are sending requests to. Since the wp_ajax_ hook makes the AJAX function accessible to any logged in user, without checking their capabilities even a Subscriber level users can access functions meant only for Administrators.

In most cases you will also want to make sure you are protecting against cross-site request forgery (CSRF) in those ajax requests as well. [Read more]

13 May 2016

Security Tip for Developers: The is_admin() Function Doesn’t Tell You If Someone is an Administrator

One reoccurring cause of security issues in WordPress plugins is the misuse of the function is_admin(). Based on its name you might reasonably assume that it checks if someone is Administrator level user in WordPress and that seems to have tripped up lots of plugin developers. In reality it just “checks if the Dashboard or the administration panel is attempting to be displayed”. It will also “return true when trying to make an ajax request (both front-end and back-end requests)”.

How to Actually Check if Someone is an Administrator [Read more]