For our 23rd security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Compress JPEG & PNG images.

If you are not yet a customer of the service, once you sign up for the service as a paying customer you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. Through the end of the year you can get a free security review of a plugin or theme when you protect 100 websites with our service.

The review was done on version 3.1.0 of Compress JPEG & PNG images. We checked for the following issues during this review:

• Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
• Deserialization of untrusted data
• Security issues with functions accessible through WordPress’ AJAX functionality (those are a common source of disclosed vulnerabilities these days)
• Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
• Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
• SQL injection vulnerabilities (the code that handles requests to the database)
• Reflected cross-site scripting (XSS) vulnerabilities
• Security issues with functions accessible through any of the plugin’s shortcodes
• Security issues with functions accessible through the admin_action action
• Security issues with functions accessible through the admin_init action
• Security issues with import/export functionality
• Security issues with usage of is_admin()
• Security issues with usage of add_option(), delete_option(), and update_option()
• Host header injection vulnerabilities
• Lack of protection against unintended direct access of PHP files
• Insecure and unwarranted requests to third-party websites
• Any additional possible issues identified by our Plugin Security Checker

Results

We found several issues with the plugin. We notified the developer of the issue a week ago, but we haven’t heard back from them and no changes have been made to the plugin yet.

Insecure AJAX functions

The functions accessed by the following AJAX registrations don’t have a capabilities check to limit who can access them despite it looking like they should be limited to only certain types of users:

• wp_ajax_tiny_account_status
• wp_ajax_tiny_settings_create_api_key
• wp_ajax_tiny_settings_update_api_key
• wp_ajax_tiny_get_optimization_statistics
• wp_ajax_tiny_get_compression_status
• wp_ajax_tiny_async_optimize_upload_new_media

Those would allow anyone logged in to WordPress to gain access to data and settings related to the plugin as well as allowing them to change the API key for the plugin or run the plugin’s main functionality of compressing an image already loaded on the website.

The functions accessed by the following AJAX registrations lack protection against cross-site request forgery (CSRF) protection despite looking like they should have that:

• wp_ajax_tiny_settings_create_api_key
• wp_ajax_tiny_settings_update_api_key
• wp_ajax_tiny_async_optimize_upload_new_media

Those could allow an attacker to cause someone logged in to WordPress to change the plugin’s settings or compress an image already loaded on the website.

Permissive Access to Nonce

In the WordPress documentation on nonces, which are used to protect against CSRF the following warning is provided:

Nonces should never be relied on for authentication or authorization, access control. Protect your functions using current_user_can(), always assume Nonces can be compromised.

This plugin provides an example of the fact that access to nonces are not always correctly limited, making that the dual layers of protection a very good idea.

What we found was that anyone logged in to WordPress that has access to the admin area has access to the nonce used for all but one of the AJAX functions. That is due to the nonce being added to all admin pages with the function enqueue_scripts() and on the admin dashboard through the function add_dashboard_widget().

Lack of Protection Against Direct Access to Files

The plugin’s .php files lack code at the beginning of the files to restrict direct access to them.  We didn’t see anything that could be exploited in the files without the restriction in place.