Login
1 Feb 2022

WordPress Plugin Security Review: reSmush.it Image Optimizer

For our 38th security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin reSmush.it Image Optimizer.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service.

The review was done on version 0.4.2 of reSmush.it Image Optimizer. We checked for the following issues during it as part of our standard review:

  • Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
  • Deserialization of untrusted data
  • Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
  • Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
  • Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
  • Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
  • SQL injection vulnerabilities (the code that handles requests to the database)
  • Reflected cross-site scripting (XSS) vulnerabilities
  • Security issues with functions accessible through any of the plugin’s shortcodes
  • Security issues with functions accessible through the admin_action action
  • Security issues with functions accessible through the admin_init action
  • Security issues with functions accessible through the admin_post action
  • Security issues with import/export functionality
  • Security issues with usage of the is_admin() function
  • Security issues with usage of the add_option(), delete_option(), and update_option() functions
  • Security issues with usage of the update_user_meta() and wp_update_user () functions
  • Security issues with usage of the extract() function
  • Lack of IP address validation
  • CSV injection
  • Host header injection vulnerabilities
  • Lack of protection against unintended direct access of PHP files
  • Insecure and unwarranted requests to third-party websites
  • Any additional possible issues identified by our Plugin Security Checker

Results

We found the plugin contains several vulnerabilities and places where security could be improved. We contacted the developer about the results through their website Monday of last week, but we have yet to hear back from them and there hasn’t been a new version released. In line with our reasonable disclosure policy, we are disclosing the vulnerabilities now, as the developer hadn’t responded until now to let us know they would address the issues within a month.

AJAX Accessible Functions Not Properly Secured

The vulnerabilities involve the various functionality the plugin makes available through WordPress’ AJAX system. As an example of this, take the functionality for removing backup files:

433
434
435
436
437
438
439
440
441
442
443
444
445
446
447

function resmushit_remove_backup_files() {
	$files=detect_unsmushed_files();
	$return = array('success' => 0);
 
	foreach($files as $f) {
		if(unlink($f)) {
			$return['success']++;
		}
	}
	echo json_encode($return);
	update_option( 'resmushit_has_no_backup_files', 1);
 
	die();
}	
add_action( 'wp_ajax_resmushit_remove_backup_files', 'resmushit_remove_backup_files' );

As coded now, anyone logged in to WordPress has the ability to access that. There should be a capabilities check added using current_user_can() to restrict what users can access that. There also should be a nonce check for each of those functions to prevent cross-site request forgery (CSRF).

Sanitization, Validation, and Escaping

In several places, the plugin is bringing in user input and not using the most relevant validation/sanitization function for that user input. For example, in the following two lines, it brings in user input that looks to only be intended to be integers, but it is not restricting the value to an integer, say, by using the function intval():

232

reSmushit::revert(sanitize_text_field($_POST['data']['id']));
252

echo reSmushit::revert(sanitize_text_field($_POST['data']['ID']));

When outputting variables in code like the following, it would make things more secure to escape the values:

485

$output = '<input type="checkbox" data-attachment-id="'. $id .'"" class="rsmt-trigger--disabled-checkbox" '. $attachment_resmushit_disabled .'  />';

Request To External Server Without Consent

The plugin’s admin page contains a News section that connects to an external server without consent, which violates the guidelines for WordPress plugins in the Plugin Directory. It doesn’t seem to be working at this point, so it looks like they could just remove it.

Lack of Protection Against Direct Access to PHP Files

The plugin’s .php files don’t appear to be intended to be directly accessed, but do not contain protection against direct access. We didn’t see anything that could be exploited in the files without the restriction in place, but restricting access to them would ensure that there isn’t any issue with that.

No related posts.

Plugin Security Scorecard Grade for reSmush.it Image Optimizer

Checked on September 23, 2024
C+

See issues causing the plugin to get less than A+ grade

One thought on “WordPress Plugin Security Review: reSmush.it Image Optimizer

Leave a Reply

Your email address will not be published. Required fields are marked *