We were recently hired to do a security review of the WordPress plugin Beautiful Cookie Consent Banner – Premium Add-On.

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service.

The review was done on version 1.7.1 of Beautiful Cookie Consent Banner – Premium Add-On. We checked for the following issues during this review:

• Insecure file upload handling (this is the cause of the most exploited type of vulnerability, arbitrary file upload)
• Deserialization of untrusted data
• Security issues with functions accessible through WordPress’ AJAX functionality (those have and continued to be a common source of disclosed vulnerabilities)
• Security issues with functions accessible through WordPress’ REST API (those have started to be a source of disclosed vulnerabilities)
• Persistent cross-site scripting (XSS) vulnerabilities in the frontend portions of the plugin and in the admin portions accessible to users with the Author role or below
• Cross-site request forgery (CSRF) vulnerabilities in the admin portion of the plugin
• SQL injection vulnerabilities (the code that handles requests to the database)
• Reflected cross-site scripting (XSS) vulnerabilities
• Security issues with functions accessible through any of the plugin’s shortcodes
• Security issues with functions accessible through any of the plugin’s blocks
• Security issues with functions accessible through the admin_action action
• Security issues with functions accessible through the admin_init action
• Security issues with functions accessible through the admin_post action
• Security issues with import/export functionality
• Security issues with usage of the is_admin() function
• Security issues with usage of the add_option(), delete_option(), and update_option() functions
• Security issues with usage of the update_user_meta() and wp_update_user () functions
• Security issues with usage of the extract() function
• Lack of IP address validation
• Proper usage of sanitize_callback when using register_setting() to register settings.
• CSV injection
• Host header injection vulnerabilities
• Lack of protection against unintended direct access of PHP files
• Insecure and unwarranted requests to third-party websites
• Any additional possible issues identified by our Plugin Security Checker

Results

We found the plugin had several places where security could be improved, which are detailed below. The developer released version 1.8.0, which addresses those.

Sanitization and Validation

A function in the plugin returned a value possibly based on user input, as HTTP_X_FORWARDED_HOST and HTTP_HOST $_SERVER variables can come from user input. There wasn’t sanitization and or validation done on that. The function wasn’t being used, so the code was never accessed by the plugin. That function has now been removed.

A function in the plugin tries to get the IP address of a request using various $_SERVER variables. Except for one of those, they can be set by the person sending the request. The code sanitizes the value, but it would likely be more appropriate to validate that the value is indeed an IP address. The code was changed to implement that validation unless there is more than one IP address included in the value.

Lack of Protection Against Direct Access to PHP Files

Two of the plugin’s .php files that didn’t appear to be intended to be directly accessed contained protection against direct access, but others were missing that. We didn’t see anything that could be exploited in the files without the restriction in place, but restricting access to them would ensure that there isn’t any issue with that. That protection has now been added.