With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we review a lot of code that ends up not being vulnerable, so even if the flagged code looks rather concerning it doesn’t raise a lot of concern at first for us even, if like the code flagged in the plugin Social Warfare, which we will get to in a moment, indicates there might be a very serious vulnerability. When we checked over the rest code related to the flagged code with that plugin we found that the plugin allows anyone to change the plugin’s settings and that could be used to cause persistent cross-site scripting (XSS), which is just the sort of vulnerability hackers have shown a lot of interest in recently. The plugin has 70,000+ active installations according to wordpress.org, which makes it all the more likely that would be exploited.
Last week two of the 1,000 most popular WordPress plugins were closed and we found that both of those contained security vulnerabilities that seemed unrelated to the closure. That doesn’t seem to paint a great picture as to the security of WordPress plugins or for the concern for security by the people running the WordPress Plugin Directory. It’s now a new week and the story continues. Earlier today another one of the 1,000 most popular plugins, Essential Addons for Elementor, which has 100,000+ installs was closed. Since then a couple of updates have been made to the plugin, which may or may not be related to the closure. We didn’t see any obvious security changes in those updates, so we went to check to see if there were any obvious security issues that remain in the latest version, since we are interested in warning our customers if they are using vulnerable plugins. A few checks in, we found multiple security issues with the plugin, for now we will detail an authenticated server-side request forgery (SSRF) vulnerability, which can also be exploited through cross-site request forgery (CSRF).
One of the impediments we see to improving security of WordPress plugins (as well as security in general) is that security journalist don’t provide a good picture of what is and isn’t going on, so others don’t understand what is actually needed to be done to improve the situation. One recent example comes from Catalin Cimpanu at ZDNet’s Zero Day blog who put forward this one sided (at best) portrayal of the handling of the security of WordPress plugins by the people on the WordPress side of things: