07 Dec

Not Really a WordPress Plugin Vulnerability, Week of December 7

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Database Disclosure Vulnerabilities in ARI Adminer, BackWPup, Batch-Move Posts wp plugin, Caldera Forms, Cart66 Lite, Contact Us Page Builder, Events Made Easy, Exports and Reports, L4 Shopping Cart, Orbis, Paid Memberships Pro, Search Engine, Shopp, WP EasyCart, and WP Editor

Related reports of claimed database disclosure vulnerabilities were released for ARI AdminerBackWPupBatch-Move Posts wp plugin, Caldera FormsCart66 Lite, Contact Us Page BuilderEvents Made EasyExports and ReportsL4 Shopping CartOrbisPaid Memberships Pro, Search EngineShoppWP EasyCart, and WP Editor. While the person behind these reports believes that the file they are listing for each of the plugins is a database backup, in reality they are files that came with the plugins. It hard to understand how they didn’t realize that as the contents are exactly the same for the same plugin file on every website they listed, but they apparently didn’t. [Read more]

12 Oct

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Editor

This post provides the details of a vulnerability in the WordPress plugin WP Editor not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

03 Jun

Don’t Expect That Someone Else Has Checked The Security of the WordPress Plugins You Use

When it comes to open source software one of the ideas is that by having the source code available then the software is more secure since you are not relying on only the developer of the software to have reviewed the code. So how does that match up with the security of WordPress plugins? A recent security situation we ran into with the plugin WP Editor seems to indicate that it isn’t working that way.

If people were regularly looking over the security of WordPress plugins, WP Editor would seem to be something that would have been looked at by now. It has 100,000+ active installs according to wordpress.org, which puts in the top 200 plugins (out of over 44,000 plugin currently in the Plugin Directory). The plugin replaces WordPress regular editor for plugins and theme files in the admin area, which should flag it as something that should be reviewed since a security issue with its the ability to modify PHP files could lead to website being hacked. Its functionality also seems to be something that would be used by more advanced users, which you would think would increase the chances it would be reviewed for security issues. [Read more]

23 May

We Correctly Identified The Vulnerabilities That Hackers Were Looking to Exploit in WP Editor

A couple of weeks ago we started seeing requests for a file from the plugin WP Editor and suspected that the requests were from someone looking for website using the plugin, to exploit some vulnerability in the plugin. After seeing that we starting trying to figure out what the hacker was hoping to exploit, so that we could make it was in our data set.

Since we didn’t have the plugin installed, we couldn’t see what the hacker would try to do if the file from the plugin had been there. We then went looking for any reports of vulnerabilities in the plugin, upon finding none and seeing the plugin hadn’t been updated in 8 months (so it wasn’t a situation where someone had worked out how to exploit a vulnerability that had been recently fixed by the developer) we started looking for vulnerabilities. [Read more]

13 May

Authenticated File Viewing Vulnerability in WP Editor

The security vulnerabilities we previously disclosed in WP Editor have now been fixed in version 1.2.6, hopefully those or something else fixed in that version was what hackers are trying to exploit. While looking around for other security issues in plugin we found another vulnerability that had existed in 1.2.5.3 and all version below, which was fixed in 1.2.6 as well.

Similar to the two vulnerabilities the ajax function for requesting a file on the website did not do any check as to the user capabilities when doing that, so any logged in user could view arbitrary files. [Read more]

12 May

Authenticated File Modification Vulnerability in WP Editor

As discussed in the more detail in the post for the other vulnerability we found in the WP Editor plugin, we recently started seeing requests for a file in this plugin on one of our websites and we believe that it was checking for use of the plugin before exploiting it. After seeing that we started checking for vulnerabilities.

In addition the vulnerability we discussed in the other we post, we also found that any logged in user can edit files on the website since there is no check as to the user capabilities when editing the files. The protection against cross-site request forgery (CSRF) is broken, so it is also susceptible to that. [Read more]

12 May

Authenticated Arbitrary File Upload Vulnerability in WP Editor

To stay on top of vulnerabilities in WordPress plugin for you, we monitor a number of different sources. One of them is hacking attempts on our websites, which mostly identifies fairly old vulnerabilities that we haven’t yet included in our data. In the case of a one vulnerability from back in 2012 we discovered that the vulnerability had never been fixed and was still in the Plugin Directory. Yesterday that monitoring lead us to seeing evidence that the WP Editor plugin is being exploited and finding a couple of serious vulnerabilities that could be what they are exploiting.

We have started seeing requests for the file /wp-content/plugins/wp-editor/js/wpeditor.js, which based on the files being requested alongside it, looks like the request are to check to see if the plugin is in use and if so then the hacker would likely try to exploit it. Since we don’t have the plugin installed the exploitation attempt didn’t happen, so we don’t know what they are trying to exploit. So then after looking for any public reports of vulnerabilities in the plugin we starting to reviewing the plugin and quickly found a couple of serious security vulnerabilities in the current version of the plugin 1.2.5.3. [Read more]