The takeover of popular WordPress plugins and then use of them for nefarious purposes has been a major issue when it comes to the security of WordPress plugins this year. Even if the takeover is not done with malicious purposes in mind, a new developer that doesn’t know what they are doing can take an otherwise relatively secure plugin and in a short time make tens or hundreds of thousands of websites insecure. At least that latter issue is true of the plugin Captcha.

The plugin Captcha has 300,000+ active installations according to WordPress.org, including this website and another of ours. Back in July the plugin was handed over from the previous developer, BestWebSoft, to another entity. Then in September an update to the plugin caused the admin area of our other website using the plugin to not function, we were not alone in that. It was only at that point that BestWebSoft mentioned that ownership had been transferred, though the new developer isn’t named:

Recently, we’ve handed over all the rights to use and manage the free version of Captcha plugin. Now, it has new owners which are responsible for the updates, troubleshooting and support any processes connected with its free version.

Going back to the commit when that change occurred, the copyright listing on files was changed from listing BestWebSoft as being the copyrighter to no one listed. The new author of the plugin is “wpdevmgr2678”, which doesn’t exactly project a professional image of the new developer.

The issue of causing the admin area to be inaccessible was then fixed. But then another update caused the admin area of this website to be inaccessible yesterday. As we started to look in to what all was going on, one of things we noticed was the latest review of the plugin on the Plugin Directory:

Since the switch from BestWebSoft to Simplywordpress, the quality of this plugin has gone downhill, with numerous problems or issues introduced with what seems like every update. I no longer recommend using this plugin.

For example:

• Formidable Forms discontinued its Math Captcha integration plugin with this plugin because of breaking updates (like reversing “cptch” to “hctpc” in the code for no discernible reason in an update)
• As of update 4.4.4 adds ~500 queries associated with visitor tracking or some other nonsense, with many repeated queries, adding over 100ms to every page generation time (not even Memcached could help)
• Increasingly poor English wording and grammar, leading to possible confusion

The second issue mentioned concerned us and as we will get to in a bit lead to us finding that plugin has multiple security issues caused by that. The third issue also seemed concerning based on us doing some looking into the developer at that point.

The profile page for the developer on wordpress.org lists them as being located in California. Their website, which was registered the day after the transfer of the plugin appears to have happened, though lists an address in the United Kingdom. In one of the prominent instances of a malicious takeover of a plugin there was similar situation where the developers were listing different locations as their supposed location in various places, so that raises a red flag. The server the website is hosted in located in Canada, for what that is worth.

Based on one of the comments from first time the plugin was making admin areas inaccessible the person responding there would seem to not be the person doing the development:

Hey guys thanks as you can see were aware of the plugin issues problem please remove it and accept my sincerest apologies.

I will be creating a mailbox where you can tell the Dev he is usless personally or maybe a skype group

On the website of the plugin’s developer they market their skills as being different than the actual quality of the changes being made to the plugin have shown. From the homepage there is this:

 We are professional programmers who simply love WordPress and can’t wait to make a custom designed plugin for you!

And this:

Hire a team not a guy working in his mom’s basement.

Also on the homepage they twice mention a security service included with their plugins:

With every plugin we have included our “simply-secured” service which helps protect your website from threats.

Every plugin comes with our simply-secured service which protects your site from threats.

Though as we will get to in a moment their Captcha plugins actual introduces security vulnerabilities.

On their services page they make several claims that don’t match the real results with the Captcha plugin:

WP plugin testing and validation

At Simply WordPress, we never improvise on a whim. While we develop fully customized WP plugins, we make sure they can pass validation by WordPress. We build up on the core WP files and add the functionalities you need.

Our team is on the ball 24/7 and you can be sure that nothing slips under our radar. If there is so much as a glitch, we fix it right away so your website can keep bringing you profit!

Also worth noting is that on their contact page, the captcha is not generated by someone else’s captcha plugin.

As of today the plugin has been removed from the Plugin Directory, though WordPress continues to not to handle that situation properly and inform people why a plugin has been closed. In this case the developer states that:

We just wanted to let you know the plugin wont be available to be downloaded for a few days as WordPress as asked us to change our brand name as it contains the word “wordpress” which goes against there terms. Obviously we were unaware of this issue and will get this fixed and be back shortly.

Failing at Security Basics

Back in October we announced a new tool that does limited automated security testing of WordPress plugins, so the public can get some idea if a plugin might contain security issues that warrant further review. One of the things that tool checks for is if the plugin registers AJAX accessible function to be accessible to those not logged in as well to those logged in. While there are perfectly safe situations where that happens, what we have found with many vulnerabilities we and others have discovered, is that often time’s plugins are making functionality accessible to those not logged in that they don’t need access to. A month ago we noted how that situation lead to attempts to utilize a vulnerability that had been in the plugin Formidable Forms to exploit a vulnerability in another plugin. That also turns out to be an issue with Captcha starting with version 4.3.6.

As part of the “visitor tracking” mentioned in the review previously mentioned, the file /live-trafic-lib/cptch_traffic_functions.php was added to the plugin and that makes several functions available to anyone whether they are logged in or not.

One of those is the function cptch_get_traffic_record_callback():

911
912
913

add_action( 'wp_ajax_cptch_get_traffic_record',        'cptch_get_traffic_record_callback' );
 
add_action( 'wp_ajax_nopriv_cptch_get_traffic_record', 'cptch_get_traffic_record_callback' );

When that function is requested it doesn’t do any checks on who is making the request before displaying the live traffic. So anyone can monitor visits to the websites, despite it looking like only Administrators are intended to be able to do that.

Other functions that are available allow anyone to block or unblock IP address or whole countries from logging in to the website or utilizing anything that requires a captcha.

What are missing here are not advanced security measures, just the basics, so it looks like the developer doesn’t have a basic understanding of how the security of WordPress plugins should be handled.

Some of the code in those functions isn’t properly handling things to protect against SQL injection, though in our quick check we didn’t see a way it could be exloited.

We have notified the developer of this issues. Due to our overall concern with the plugin and the fact that is currently removed from the Plugin Directory, we decided not to hold back disclosure as we would normally do.

Phoning Home

After you upgrade the plugin to the most recent version an “urgent” message is shown:

At the same If you visit the plugin’s admin page you will receive the following message:

If you click the “Recommend Settings” button shown in the first image or the “Select Prefered Settings” button shown in the second, the plugin will start contacting the developer’s website for a list of blacklisted IP addresses and pass along the site’s address. That would seem to be in violation of the guidelines for plugin’s in the Plugin Directory since there doesn’t seem proper notification of that:

The plugin may not “phone home” or track users without their informed, explicit, opt-in consent.

In the interest of protecting user privacy, plugins may not contact external servers without the explicit consent of the user via requiring registration with a service or a checkbox within the settings. This method is called ‘opt in.’ Documentation on how any user data is collected, and used, should be included in the plugin’s readme, preferably with a clearly stated privacy policy.

This restriction includes the following:

• No unauthorized collection of user data. Users may be asked to submit information but it cannot be automatically recorded without explicit confirmation from the user.
• Intentionally misleading users into submitting information as a requirement for use of the plugin itself is prohibited.
• Images and scripts should be loaded locally as part of the plugin whenever possible. If external data (such as blocklists) is required, their inclusion must be made clear to the user.
• Any third party advertisement mechanisms used within the plugin must have all tracking features disabled by default. Advertisement mechanisms which do not have the capability of disabling user tracking features are prohibited.

The sole exception to this policy is Software as a Service, such as Twitter, an Amazon CDN plugin, or Akismet. By installing, activating, registering, and configuring plugins that utilize those services, consent is granted for those systems.

Moving Off This Plugin

At this point there is a new developer of this plugin that at best isn’t doing enough testing before releasing updates and is introducing other issues to the plugin, so it seems the best thing to do would be to move off of the plugin.

On our websites we have moved back to the last version by the previous developer until we can find a more permanent replacement.

Proof of Concept

The following proof of concept will cause the latest traffic to the website to be shown.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php?action=cptch_get_traffic_record" method="POST">
<input type="hidden" name="page" value="1" />
<input type="submit" value="Submit" />
</form>
</body>

Timeline

• December 8, 2017 – Developer notified.

Concerned About The Security of the Plugins You Use?