Recently the developer of a WordPress plugin that extends WooCommerce responded to a claim that there plugin contained a vulnerability by stating that the plugin has “no known vulnerabilities and is written with all wordpress security standards in mind taking precaution to avoid such an issue.” Can you trust that sort of claim? In our years of experience, no. Plugin developers often make strong claims about their handling of security that turn out not to be true. That turned out to not be true with this plugin, WooCommerce Product Table Lite, as well. For those looking to make sure plugins they use are actually secure, they should look for plugins that has had an independent security review done or get ones done for plugins.

Like another plugin we discussed this week, where the developer had missed a vulnerability despite claiming to have done multiple audits, this situation involved a vague claim from a security provider named Patchstack that the plugin contained a cross-site request forgery (CSRF) vulnerability. This plugin also contained such an issue that wasn’t hard to find and involved a failure to implement basic security. After finding it, we contacted the developer. We let them know what appeared to be at issue, linked to the relevant WordPress documentation to address it, and offered to help them with that issue. They have now addressed the vulnerability.

As of the previous version of the plugin, the link on the plugin’s settings page to reset the settings looked like this: /wp-admin/edit.php?post_type=wc_product_table&page=wcpt-settings&wcpt_reset_global_settings=true. Missing from that is what is referred to as a nonce, which is a unique value to make sure the request to reset the settings is coming from someone clicking the link on the settings page. Without that, an attacker could cause someone with access to the settings page to reset the settings without them intending to. That isn’t a serious issue, but protection against CSRF is a basic element of WordPress security standards, so the developer hasn’t been implementing those, despite claiming otherwise.

The code that generates the settings page is in the function wcpt_settings_page, which is located in the file /main.php. Right near the beginning of that is the code that handles the resetting of the plugin’s settings, which previously didn’t contain a nonce check to prevent CSRF:

435
436
437
438
439
440
441
442

function wcpt_settings_page(){
  if( ! class_exists('WooCommerce') ){
    return;
  }
 
  if( ! empty( $_GET['wcpt_reset_global_settings'] ) ){
    do_action('wcpt_reset_global_settings');
    delete_option('wcpt_settings');

The new version of the plugin added the missing check to address this:

450
451
452
453
454
455
456
457
458
459
460
461
462
463
464

function wcpt_settings_page(){
  if( ! class_exists('WooCommerce') ){
    return;
  }
 
  if( ! empty( $_GET['wcpt_reset_global_settings'] ) ){
    if( 
      empty( $_GET['_wp_nonce'] ) ||
      ! wp_verify_nonce( $_GET['_wp_nonce'], 'wcpt_reset_global_settings' ) 
    ){
      die();
    }
 
    do_action('wcpt_reset_global_settings');
    delete_option('wcpt_settings');

Elsewhere, the code to generate a nonce was added to the link to reset the settings using the function wp_create_nonce().

The plugin still has another easy to spot security issue flagged by our Plugin Security Checker.