02 Jan

What Happened With WordPress Plugin Vulnerabilities in December 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during December (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Paid customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers’ activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

The most concerning vulnerabilities were several we found in plugins that look like they might be being targeted by a hacker. For two of the plugins, the issues we found still exist (one of them still has a prior vulnerability we notified the developer about months ago).

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed.

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of them were rather minor, but a few of them either involve intentionally malicious code or might have been being exploited by hackers.

20 Dec

Vulnerability Details: Arbitrary Email Sending Vulnerability in Sharexy

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

In looking into what seemed to be a hacker probing for usage of the plugin Sharexy to possible target ...

Our Vulnerability Details posts provide the details of vulnerabilities we didn't discover and access to them is limited to customers of our service due to other security companies trying to sponge off the work needed to create those instead of doing their own work.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, you can try the service for free for the first month (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

20 Dec

Is a Hacker Targeting This Plugin Thinking It Has Vulnerability It Doesn’t?

One of the problems we sometimes run into checking over plugins that hackers look to be targeting is that hackers don’t always have a good understanding of what they are doing. We have seen in them trying to exploit vulnerabilities that don’t exist and trying to exploit vulnerabilities in a way that won’t ever succeed. The former issue can be caused by false or inaccurate reports of vulnerabilities released by others and the latter due to a lack of testing before trying to exploit them on other people’s websites.

Recently we had a request on this website for a file that would be located at  /wp-content/plugins/gallery-plugin/upload/php.php. That is a file that existed in older versions of the plugin Gallery by BestWebSoft. That would seem to be an attempt to exploit a claimed arbitrary file upload vulnerability in older versions of the plugin. Depending on how you define things, though, that wasn’t an arbitrary file upload vulnerability, as the extension type of the files that can be uploaded is limited to “jpeg”, “jpg”, “gif”, and “png”. In the proof of concept it shows uploading a file named “lo.php.gif”. Normally web browsers only pay attention to a file’s final extension, so even if you were to upload a file with PHP code and that file name, it wouldn’t run.

Our guess with that sort of thing is that usually someone trying to exploit that would be under the mistaken belief that you could get PHP code to run. It is possible that some people would be using that type of issue with the intention of uploading images files, as is reported to have occurred with the plugin WP Job Manager. This type of issue could also be combined with a local file inclusion (LFI) vulnerability.

Seconds before that request for a file from Gallery by BestWebSoft, a request from a different IP address made a request for /wp-content/plugins/sharexy/ajaxresponder.php. That file is part of the plugin Sharexy. That plugin was removed from the Plugin Directory sometime in 2015 between May 27 and September 24. No reason is given, but one possible explanation is violation of the developer guidelines, which was mentioned in the support forum for the plugin.

Looking at the contents of the file /ajaxresponder.php there are a number of actions that can be taken, which look like they were only intended to be accessed by user logged in as Administrators.

While a number of the actions involve passing data through the unserialize() function, which has the possibility of allowing PHP object injection and is a type of vulnerability that is highly likely to be targeted, we didn’t see any way those could be exploited.

Based on what looks to be targeted in the other plugin, what seems like it might be targeted is file upload functionality at the beginning of the file:

	$data = array();
	if (!isset($_POST['request_type']) && !isset($_GET['request_type'])) {
		echo json_encode($data);	
	if (isset($_POST['request_type']) && $_POST['request_type'] == 'customdesign') {
		$uploaddir = 'design/custom/'.$_POST['folder'].'/';
		foreach($_FILES as $file) {
			if(move_uploaded_file($file['tmp_name'], $uploaddir .$_POST['resolution'].".png" ))

That code allows anyone to upload files, but the file name on the web server will end “.png”.

If you see anything else that might be exploited or some way that upload issue could be exploited to add files with different file extensions, we would love to hear about it.

Wider Warning

Due to the fact that this issue might be being targeted by hackers, we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if they are using Sharexy.

Proof of Concept

The following proof of concept will upload the selected file to /wp-content/plugins/sharexy/design/custom/test.png.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-content/plugins/sharexy/ajaxresponder.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="request_type" value="customdesign" />
<input type="hidden" name="folder" value="" />
<input type="hidden" name="resolution" value="test" />
<input type="file" name="tmp_name" />
<input type="submit" value="Submit" />