Login
9 Dec 2022

Authenticated Settings Change Vulnerability in LWS Optimize

Last week, we ran across a serious vulnerability in a new WordPress plugin, LWS Optimize. The plugin was subsequently closed on the WordPress plugin directory and then re-opened without the vulnerability being properly fixed. Not only that, but it was still missed that the plugin has an easy to spot vulnerability despite the claim that there is a manual security review before plugins are even allowed in that directory.

If you log in to WordPress with the plugin active, you can access the plugin’s settings page and change the settings even if you are a user with the Subscriber role. Only users with the manage_options capability, which normally only Administrators have, should have access to that. Instead, the plugin makes that page accessible to anyone with the read capability:

90

add_menu_page(__('LWS Optimize', 'lws-optimize'), 'LWS Optimize', 'read', $menu_slug, 'lws_op_page', LWS_OP_URL . 'images/plugin_lws_optimize.svg');

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Proof of Concept

Log in to WordPress as a Subscriber, access the plugin’s settings page, and save a change to the plugin’s settings.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published. Required fields are marked *