01 Sep

What Happened With WordPress Plugin Vulnerabilities in August 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during August (and what you have been missing out on if you haven’t signed up yet):

Plugin Security Reviews

Customers of the service can suggest and vote on plugins to have a security review done by us. This month we released details for a review of:

We don’t currently have any more plugins queue up for a review, so if you sign up now for the service, a plugin you suggest could be reviewed right away.

Plugin Vulnerabilities We Discovered and Publicly Disclosed This Month

We don’t just collect data on vulnerabilities in plugins that others have discovered, we also discover vulnerabilities through proactive monitoring of changes made to plugins, monitoring hackers activity, reviewing other vulnerabilities, and by doing additional checking on the security of plugins.

This month the most concerning vulnerability is a PHP object injection vulnerability in WP Smart Security, since that type of vulnerability is likely to be exploited and the vulnerability hasn’t been fixed yet.

Plugin Vulnerabilities We Helped Get Fixed This Month

Letting you know that you are using a vulnerable version of plugin is useful, but it is much more useful if you can fully protect yourself by simple updating to a new version. So we work with plugin developers to make sure that vulnerabilities get fixed. This month we helped to get vulnerabilities fixed in plugins that have 177,800+ active installs:

Plugin Vulnerabilities Added This Month That Are In The Current Version of the Plugins

Keeping your plugins up to date isn’t enough to keep you secure as these vulnerabilities in the current versions of plugins show:

Additional Vulnerabilities Added This Month

As usual, there were plenty of other vulnerabilities that we added to our data during the month. Most of the new vulnerabilities that were fixed this month are relatively minor.

29 Aug

PHP Object Injection Vulnerability in WP Smart Security

When it comes to advice on improving the security of a WordPress websites the recommendation is often to install some security plugin. We have yet to see this advice paired with evidence that the security plugin in question is effective at providing protection. In our testing of them to see if security plugins can protect against real vulnerabilities in other plugins, which seems to be about the only testing ever done, the results haven’t been good. Having a false sense of security isn’t good, since it may lead to failing doing things that will actually protect a website, but using security plugins can have a much worse consequence, it can lead to your website being hacked.

We recently have been going through some data on possible PHP object injection vulnerabilities in WordPress plugins and one of the reports from that indicated the possibility of that type of vulnerability in the security plugin WP Smart Security. A quick check confirmed that there was in fact that type of vulnerability in this plugin. That type of vulnerability has been exploited on fairly wide-scale in the last year, so using this plugin could open the website using it to being hacked.

When the plugin is active it creates a new instance of the class bitset_wpspro when any WordPress page loads. That in turn will create a new instance of the class wpspro_secure, which runs the following code when it is constructed (in the file /inc/secure.php):

16
17
18
19
20
$HTTP_RAW_POST_DATA = file_get_contents( 'php://input' );
$data = base64_decode( $HTTP_RAW_POST_DATA );
 
if ( $data ) {
	$unserialized_data = @maybe_unserialize( $data );

That code will take the raw post data sent with the request, base64_decode() it, and then possibly unserialize() it. The unserialization of user input opens it up to PHP objection injection.

We contacted the developer a week ago and have not heard back from them. The plugin has never been updated since it was released 18 months ago, not even to note that it is compatible with newer version of WordPress, so it doesn’t appear to be being actively supported.

Proof of Concept

With our plugin for testing for PHP object injection installed and activated, send a request to a page on the website with raw POST data set to “TzoyMDoicGhwX29iamVjdF9pbmplY3Rpb24iOjA6e30=” and  the message “PHP object injection has occurred.” will be shown.

Timeline

  • August 22, 2017 – Developer notified.