As we have noted multiple times recently, contrary to claims made by other security providers, WordPress plugins continue to have a steady supply of new vulnerabilities being introduced in to them. That includes widely used plugins. We continue to work to improve our ability to catch those in plugins used by users of our service. One method is using machine learning, a form of artificial intelligence (AI), to try to catch vulnerabilities being introduced in to plugins. As that is something that improves with more data, the longer we are collecting data, the better it should get and the more vulnerabilities we can catch for our customers.

Yesterday, that monitoring flagged an update to the 300,000+ install plugin WPvivid Backup as possibly introducing a vulnerability. Looking over the changes being made, we found that a new function was added to the plugin and made accessible to anyone logged in to WordPress through its AJAX functionality:

398

add_action('wp_ajax_wpvivid_check_download_has_zero_date', array( $this, 'download_check_has_zero_date' ));

That function is intended to be accessed by users who have access to the plugin’s admin page, which is only accessible by Administrators. So there should be a capabilities check to limit access. Despite that, the function doesn’t include a capabilities check:

3671
3672
3673
3674
3675
3676
3677
3678
3679
3680
3681
3682
3683
3684
3685
3686
3687
3688
3689
3690
3691
3692
3693
3694
3695
3696
3697

public function download_check_has_zero_date()
{
	try
	{
		if (!isset($_POST['backup_id'])) {
			die();
		}
 
		$backup_id = sanitize_key($_POST['backup_id']);
 
		$backup = WPvivid_Backuplist::get_backup_by_id($backup_id);
 
		$backup_item = new WPvivid_Backup_Item($backup);
 
		$has_zero_date=$backup_item->check_has_zero_date();
		if($has_zero_date)
		{
			$db_method = new WPvivid_DB_Method();
			$ret_sql_mode = $db_method->get_sql_mode();
			if(preg_match('/NO_ZERO_DATE/', $ret_sql_mode['mysql_mode']))
			{
				$ret['has_zero_date']=1;
			}
		}
 
		$ret['result']=WPVIVID_SUCCESS;
		echo json_encode($ret);

That function provides information about backups.

The function right above that, download_restore_progress(), in the file /includes/class-wpvivid.php is similarly AJAX accessible and also lacks a capabilities check:

3616
3617
3618
3619
3620
3621
3622
3623
3624
3625
3626
3627
3628

public function download_restore_progress()
{
	try
	{
		if (!isset($_POST['file_name'])) {
			die();
		}
 
		$file_name=sanitize_text_field($_POST['file_name']);
 
		$file_size = $_POST['size'];
 
		$task = WPvivid_taskmanager::get_download_task_v2($file_name);

That provides information about backup restoration progress.

Neither of those functions allows obvious serious security concern, but the other similarly accessible functions in the file include basic security checks (a capabilities check and a nonce check through a function namedajax_check_security()). Including one that simply displays the PHP memory limit for the website:

6652
6653
6654
6655
6656

public function get_ini_memory_limit(){
	$this->ajax_check_security();
	try {
		$memory_limit = @ini_get('memory_limit');
		echo $memory_limit;

WordPress Causes Full Disclosure

As a protest of the moderators of the WordPress Support Forum’s continued inappropriate behavior we changed from reasonably disclosing to full disclosing vulnerabilities for plugins in the WordPress Plugin Directory in protest, until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum. (For plugins that are also in the ClassicPress Plugin Directory, we will follow our reasonable disclosure policy.)

You can notify the developer of this issue on the forum as well.

After four years, the moderators have finally tacitly admitted they were behaving inappropriately and have made moves to fix the problems (though incompletely), so these full disclosures can be ended if they simply restore access to our accounts and plugins in the Plugin Directory. Hopefully that takes less than four years.

Update: To clear up the confusion where developers claim we hadn’t tried to notify them through the Support Forum (while at the same time moderators are complaining about us doing just that), here is the message we left for this vulnerability:

Concerned About The Security of the Plugins You Use?