01 Aug

What Happened With WordPress Plugin Vulnerabilities in July 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities while monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

This month the most concerning vulnerability is a PHP object injection vulnerability in Product Reviews, since that type of vulnerability is likely to be exploited and the vulnerability hasn’t been fixed yet.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 702,300+ active installs:

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of the new vulnerabilities that were fixed this month are relatively minor.

25 Jul

Reflected Cross-Site Scripting (XSS) Vulnerability in WebLibrarian

Recently a change was made to plugin WebLibrarian that was supposed to “Fix XSS problem in front end short codes.”. After not finding any report had been put out on this issue we started looking over things to see if there was in fact a vulnerability and then prepare a post on it for our customer.

Before we were able to figure out how the issue could be exploited we found that a related vulnerability existed as of the new version.

When a page or post with the shortcode “weblib_itemlist” is visited the function item_list() is run, which is located /includes/short_codes.php.  Several lines in, the following code ran:

$result = "\n<!-- barcodetable: _REQUEST is ".print_r($_REQUEST,true)." -->\n";

That code will output and GET or POST inputs without them being escaped, which could be exploited for reflected cross-site scripting (XSS).

After notifying the developer of the issue, they resolved it the next day by commenting out the line (it was debug code).

Proof of Concept

The following proof of concept will cause any available cookies to be shown in alert box. Major web browsers other than Firefox provide XSS filtering, so this proof of concept will not work in those web browsers.

Visit a post or page that has the “weblib_itemlist” shortcode and add the following URL parameter to the URL and then visiting the resulting URL (add a “?” before it if there are not already an URL parameters):

xss=--><script>alert(document.cookie);</script>

Timeline

  • July 24, 2017 – Developer notified.
  • July 25, 2017 – Version 3.4.8.7 released, which fixes vulnerability.