One of the changelog entries for the latest version of Author Chat is “Security fix”. In looking into what was done we found that the plugin still seems to be rather insecure and probably shouldn’t be used without the security of it being thoroughly reviewed and improved. It also looks to have other issues, since for example, we found that one of its database tables is only created if you activate the plugin for a second time.
…
A SQL injection vulnerability fixed in the plugin RSVPMaker seems like a good example of why relying on changelogs to let you know if security vulnerabilities have been fixed in a WordPress plugin is not a good idea, as there is currently no changelog for the latest version of the plugin. We noticed that there might have been a vulnerability fix in that version due to the log entry left in the Subversion repository that underlies the Plugin Directory, “fix for sql injection hack”, which is something that the average user of a plugin isn’t going to monitor, but hackers easily can.
…
One of the ways we keep ahead of others when it comes to vulnerabilities in WordPress plugins, so that we can provide our customers with better security is that we monitor third-party data for indications that hackers are targeting WordPress plugins. Through that we just ran across someone possibly probing for usage of the plugin Simple Ajax Shoutbox by requesting the readme.txt file for it. That isn’t a very popular plugin, with only 1,000+ active installations according to wordpress.org, and hasn’t been updated in two years.
In a quick look over the plugin we didn’t see an obvious vulnerability that hackers would be interested in exploiting, though there were some things that look like they might cause a serious issue. But what did stand our right away is that that there is an easy to spot SQL injection vulnerability. That isn’t really isn’t something hackers seem all that interested in, but we can at least warn our customers and others that hackers might be targeting this plugin. [Read more]
We are always interested when automated tools are able to detect real vulnerabilities in WordPress plugins so a recent post on the WordPress Support Forum got our attention as it was claimed that Qualys had detected a SQL injection vulnerability in Better Search. Checking the proof of concept provided we could see that there was in fact that vulnerability in the plugin. Somewhat troublingly the developer’s response so far has been the following:
…
One of the ways we try to keep track of vulnerabilities being exploited in WordPress plugins to provide our customers the best data on vulnerabilities that might impact their website is to monitor third party data on possible attacks. Through one of those we saw a report of the following request being made recently related to the plugin JS Support Ticket:
/wp-admin/admin-ajax.php?action=jsticket_ajax&jstmod=fieldordering&task=getOptionsForFieldEdit&field=1 [Read more]
When it comes to the causes of security vulnerabilities in WordPress plugins we haven’t seen something truly new for some time, so that makes something we recently started seeing a pickup of, notable. That being vulnerabilities that are exploitable through WordPress’ REST API. The vulnerabilities are not caused by the REST API, but increasing usage of it in plugins is making more code accessible through it that isn’t properly secured. The API was introduced in WordPress 4.4, which was released back in December, 2015, so this comes with a bit of delay (maybe because developers were waiting till there was wide adoption of WordPress versions that supported it).
Right now we are continuing to evaluate how to respond to this in terms of things like our Plugin Security Checker and in the security reviews we do of plugins. For the latter, we are going to starting doing some checking over this type of code during upcoming reviews to get a better idea of what is going on, before considering official adding any checks related to it our reviews. [Read more]
Recently there have been claims that hackers have been causing PHP object injection through SQL injection vulnerabilities in WordPress plugins. The details needed to allow others to confirm whether or not that is true had not been provided (which didn’t stop journalist from repeating the claims) and in our testing we were not able to figure out a way to get that to work with the plugins that it has been claimed it had occurred with. It is possible that we have missed something or it is possible that there was a belief that it could occur leading to hackers attempting it, but it really wasn’t possible in those plugins.
One route we looked to recreate the claim was using UNION SELECT as part of the SQL injection to cause a value needed for the PHP object injection to be returned from the SQL statement susceptible to SQL injection. What we have run into in trying that is that we couldn’t get an appropriate value needed for PHP object injection through that, due to the escaping WordPress does of quote marks. [Read more]
Several days ago we had a request at this website for a file that would be located at /wp-content/plugins/table-maker/readme.txt. Subsequent to that, while reviewing the log files of another website for some work we were doing over at our main business we saw the same file requested. The requested file would be part of the plugin SendinBlue Subscribe Form And WP SMTP. On both websites the IP address also requested a readme.txt for another plugin, which we will be discussing at a later time. Those requests would be seem to be from someone probing for usage of those plugins. A likely reason for that would be a hacker probing for usage of the plugins.
In looking over the plugins we have yet to find some obvious security vulnerability that would be something that would be targeted by a hacker, but we did find that both had poor security leading to security vulnerabilities. Another thing we found with both is that they were using unserialization on data coming from a request from the database. Recently there have been claims that a SQL injection vulnerabilities was somehow being exploited and that lead to PHP object injection when the result from the SQL query susceptible to SQL injection was passed through the unserialize() function. No evidence was presented that was the case though. It is possible that the claim is true. It also possible that there is belief there is an issue that doesn’t really exist (we have seen plenty of instances hackers trying to exploit vulnerabilities that don’t exist and we have security companies failing to understand that). Whatever the case, we did find this plugin has a couple of SQL injection vulnerabilities for which the results is then unserialized. [Read more]
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
…
Yesterday we touched on how the web security company Sucuri and others in the security community were overstating the threat of a vulnerability recently discovered by Sucuri in the plugin WP Statistics. While looking over something else related to that vulnerability we came across the web security company Wordfence using that vulnerability basically as an ad for their products and services, while reminding people that are actually knowledgeable about web security that Wordfence really don’t have a good grasp of it.
Their post starts out: [Read more]