WPConsent

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. A week ago, we looked at an example of a developer continuing to fail that we ran across. This week we ran across another test of this, as two developers we have released advisories for have new plugins available in the WordPress Plugin Directory. Awesome Motive For one of those developers, Awesome Motive, we just issued our advisory on December 11. Nine days later, they introduced the plugin WPConsent to the WordPress Plugin Directory. The issue that led to us finally issuing that advisory was a continued failure to address AJAX accessible functions lacking a capability check in the 6+ million install plugin WPForms, even after fixing a vulnerability caused by that. That is really basic security, so a major plugin developer shouldn't be failing on that front. Yet it also is the case with WPConsent. In the plugin's file /includes/admin/admin-ajax.php, there are six AJAX accessible functions registered to only be accessible to only those logged in to WordPress. There should be a capability check to make sure the only intended users have access to the functionality, but there isn't. Here is the first of those, which only contains a nonce check and not a capability check: function wpconsent_ajax_add_category() { check_admin_referer( 'wpconsent_add_category', 'wpconsent_add_category_nonce' ); $category_name isset( $_POST ) ? sanitize_text_field( wp_unslash( $_POST ) ) : ''; $category_description isset( $_POST ) ? sanitize_textarea_field( wp_unslash( $_POST ) ) : ''; $category_id wpconsent()->cookies->add_category( $category_name, $category_description ); if ( $category_id ) { wp_send_json_success( array( 'id' > $category_id, 'name' > $category_name, 'description' > $category_description, ) ); } else { wp_send_json_error( array( 'message' > esc_html__( 'There was an error adding the category.', 'wpconsent-cookies-banner-privacy-suite' ), ) ); } } While Awesome Motive shouldn't have a problem handling security like this (they have a chief security officer who is the Security Reviewer on the team running the WordPress Plugin Directory), it would have only, for example, cost $200 for us to do a comprehensive security review that would have caught that and a variety of other possible issues. The plugin is yet another GDPR related plugin that isn't secure. Brainstorm Force So that shows that a developer that isn't handling security continues to do so in the short term, but what about in the longer term? We issued an advisory at the beginning of January of last year for Brainstorm Force. A year later, they introduce SureDash. This plugin contains exactly the same issue as Awesome Motive's plugin across even more functions. One example is this function in the file /core/ajax/backend.php: public function delete_a_sub_content(): void { if ( ! check_ajax_referer( 'portal_delete_a_sub_content', 'security', false ) ) { wp_send_json_error( ); } $sub_content_data ! empty( $_POST ) ? Sanitizer::sanitize_meta_data( json_decode( wp_unslash( $_POST ), true ), 'metadata' ) : ; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Data is sanitized in the Sanitizer::sanitize_meta_data() method. $post_id ! empty( $sub_content_data ) ? absint( $sub_content_data ) : 0; if ( ! $post_id ) { wp_send_json_error( ); } $deleted \wp_delete_post( $post_id, true ); if ( $deleted ) { wp_send_json_success( [ 'message' > __( 'Successfully deleted.', 'suredash' ), ] ); } wp_send_json_error( ); } That code also has a second fairly obvious security issue. It passes user input to a function, wp_delete_post(), that allows deleting arbitrary content stored as a post. That would allow deleting not just WordPress posts and pages, but other plugin's data stored as a post. The code should make sure only the intended content is deletable, but it doesn't. While the plugin is in the WordPress Plugin Directory, it has this message "Please note that SureDash is currently in its Alpha stage and is not recommended for use on live production websites." That hasn't stopped the developers from charging hundreds of dollars for items related to an insecure plugin: Getting a security review wouldn't cost much more than they are charging there, as our price for a review would be $500.

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: WPConsent

Plugin Security Scorecard Grade for WPConsent

New Plugins From Awesome Motive and Brainstorm Force Continue Developers’ Failure to Implement Basic Security

Awesome Motive