Login
25 Feb 2025

Popular WordPress File Manger Plugins Contain Third-Party Library With Multiple Vulnerabilities

Last week three WordPress file manager plugins were checked through our Plugin Security Scorecard tool. An issue identified by the tool in each plugin was flagged for us to review. That issue being that the plugin’s contained a known vulnerable library. What was curious was is that each plugin was flagged for the exact same vulnerabilities in the same library. Here is the relevant part of the results for the 1+ million install WP File Manager:

The 100,000+ install Advanced File Manager:

And finally the 80,000+ install Filester:

Was it just a coincidence that they all contained a vulnerable version of the jQuery UI library?

Before we reached out to the developers to let them know about that, we checked to make sure the tool’s information was correct. That led us to find each of them is based on the same library that provides the file manager, elFinder. The jQuery UI library is part of that library. So elFinder is still using a known vulnerable version of jQuery UI? No. The developer of that updated to a fixed version in December 2023.

So the developers of the file manager plugins haven’t bothered to update the core of their plugins in over a year. It isn’t like the developers of these plugins shouldn’t have security on their radar, prominently on the WordPress Plugin Directory page for Filester is this:

Did you know?
More than 700,000 WordPress websites were attacked during September 2020.
Malicious bots are looking to exploit vulnerable versions of WP file manager plugins.
Fortunately, Filester comes with this vulnerability fixed!
Filester poses no risk to you, so rest assured! 🤗

The developer of elFinder isn’t doing a great job either, as three of the jQuery UI vulnerabilities were disclosed by the developer of the library in October 2021 (1, 2, 3) and the last was disclosed in July 2022. If those incorporating the library in to their own solutions were more focused on security, that would help to avoid mistakes like that. But as these plugins show, that isn’t the case.

That the most popular of those plugins, WP File Manager, is affected by this shouldn’t be surprising as we have been warning not to use plugins from the developer since May 2022 because of their repeated poor handling of security. The plugin also still contains a minor vulnerability we warned the developer they had incompletely fixed a year ago.

We have notified the developers of the three plugins that their plugins contain the known vulnerable library caused by usage of an outdated version of elFinder.

24 Feb 2025

Settings Change and Persistent Cross-Site Scripting (XSS) Vulnerabilities in Donate visa

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin Donate visa in third-party data we monitor. The probing was done by requesting a file from the plugin if the plugin had existed on a website, /wp-content/plugins/donate-visa/readme.txt. The plugin was closed on the WordPress Plugin Directory on November 5, 2024. The reason given for the closure is “Security Issue.” Nothing was provided to vet the claim there was a security issue. Competitors of ours have claimed there is an unfixed vulnerability that allows attackers “with Subscriber-level access and above, to perform an unauthorized action.” They provided nothing to back that up. Looking at the code, we found what they appear to be referring to, but as is so often the case, they didn’t bother to do proper vetting and got a basic detail wrong. The real vulnerability is one you would expect to be exploited.

The only code that looks like it could be related to the claimed vulnerability is the code that handles saving the plugin’s settings. That is handled by the function donate_visa_dvsmp_ajax() in the file /includes/class-donate-visa-dvsmp-plugin.php. That doesn’t include any security checks: [Read more]

21 Feb 2025

The Good and Bad of Unexplained Change to WordPress Plugin Directory That Exposes Owners of Plugins

Yesterday, the team running the WordPress Plugin Directory announced they had recently made a significant change to the directory. No explanation was given for why it was done. Nor why it was done without warning or discussed beforehand. The change has some positive benefits, but also some apparent downsides. The change is what is shown as the author of a plugin. Here is an example of the change. The 400,000+ install plugin NextGEN Gallery used to be listed as being by Imagely:

[Read more]

20 Feb 2025

Backdoor Code Routes Malicious Actions Through WordPress REST API

Website hackers are not exactly known for their sophistication, other than in the misleading portrayals put forward by too many security companies and security journalists. But sometimes malicious actors can do things that are more sophisticated. In the latest instance of that we ran across, they also screwed up. Checking on a website today, we found that there was visible code showing on the top of the website:

[Read more]

14 Feb 2025

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Compress on our websites. The probing was done by requesting a file from the plugin if the plugin had existed on our website, /wp-content/plugins/wp-compress-image-optimizer/readme.txt. We don’t use that plugin on that website or any of them. So what might explain a hacker’s interest in the plugin? Last year the WordPress security provider Wordfence claimed that a vulnerability had been fixed in the plugin, of a type that sounds like it could explain a hacker’s interest. Here is part of their description:

This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments.

The last part of that is odd. Why would that only be possible in “multisite environments?” They didn’t provide any further details to explain. They provided two links without any context as to what they were supposed to mean. The links showed a couple of things. First Wordfence had failed to vet the fix, as even the code being changed was still vulnerable. One of the links shows code being changed to add a capability check, notably missing is the addition of a nonce check or a pre-existing nonce checks. So there was still at least cross-site request forgery (CSRF) vulnerability. A little more checking showed that the capability check was incompletely applied to file being changed.

In the file /classes/mu.class.php, the following function had a capability check added (the current_user_can() part):

553
554
555
556
557
558
559

public function mu_save_site_settings()
{
	if (!current_user_can('manage_options')) {
		wp_send_json_error('Forbidden.');
	}
 
	global $wpc_siteID;

The next function should have also had that added, but it wasn’t:

594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612

public function mu_get_site_settings()
{
	global $wpc_siteID;
	$output = '';
 
	$wpc_siteID = $siteID = sanitize_title($_POST['siteID']);
	ob_start(); // begin collecting output
 
	if ($this->mu_is_connected($siteID)) {
		include WPS_IC_DIR . 'templates/mu/connected.php';
		#include WPS_IC_DIR . 'templates/mu/site-settings.php';
	} else {
		include WPS_IC_DIR . 'templates/mu/not-connected.php';
	}
 
	$output .= ob_get_clean(); // retrieve output from myfile.php, stop buffering
 
	wp_send_json_success($output);
}

So even as described by Wordfence, the issue had only been partially fixed. It turns out the issue is still exploitable even when not using WordPress Multisite.

Plugin Vulnerability Data Providers Don’t Vet Their Data

That Wordfence got things so wrong runs counter to their claim to have a team of experts and their CEO Mark Maunder’s claim that their vulnerability “data is impeccable.”

They were not alone in that. WPScan, which also claims to have a team of experts, claimed the issue was fixed:

While also somehow claiming that they hadn’t verified it (somehow that is a miscellaneous detail):

Patchstack, also claims to have a team of experts, yet they also claimed it was fixed:

They are claiming to have provided a “virtual patch”, so either they knew the fix was incomplete and claimed otherwise, or their virtual patch is incomplete as well.

The reality is that WPScan and Patchstack simply copy information from Wordfence without vetting, despite Wordfence’s data being known to be unreliable going back to before it was public. (Wordfence also copies data from the other providers without vetting it.)

So Much is Vulnerable

When trying to determine what a hacker might be interested in exploiting related to this, you run into the problem that is so much code that is accessible it is hard to guess what a hacker might be interested. But to provide an example of what Wordfence and the other security providers somehow missed, let’s take a look at a function to change the plugin’s settings. In the file /classes/ajax.class.php, the function wps_ic_settings_change() is registered to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress:

126

$this->add_ajax('wps_ic_settings_change');

That function doesn’t include a capability check or a nonce check to limit access to changing the settings:

442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511

/**
 * Change Settings Value
 */
public function wps_ic_settings_change()
{
	global $wps_ic;
 
	$what = sanitize_text_field($_POST['what']);
	$value = sanitize_text_field($_POST['value']);
	$checked = sanitize_text_field($_POST['checked']);
	$checkbox = sanitize_text_field($_POST['checkbox']);
 
 
	$options = new wps_ic_options();
	$settings = $options->get_settings();
 
	if ($what == 'thumbnails') {
		if (!isset($value) || empty($value)) {
			$settings['thumbnails'] = [];
		} else {
			$settings['thumbnails'] = [];
			$value = rtrim($value, ',');
			$value = explode(',', $value);
			foreach ($value as $i => $thumb_size) {
				$settings['thumbnails'][$thumb_size] = 1;
			}
		}
	} else {
		if ($what == 'autopilot') {
			if ($checked == 'checked') {
			} else {
				$settings['otto'] = 'automated';
			}
		}
 
		if ($checkbox == 'true') {
			if ($checked === 'false') {
				$settings[$what] = 0;
			} else {
				$settings[$what] = 1;
			}
		} else {
			$settings[$what] = $value;
		}
	}
 
	if ($what == 'live_autopilot') {
		if ($value == '1') {
			// Enabline Live, clear local queue
			delete_option('wps_ic_bg_stop');
			delete_option('wps_ic_bg_process_stop');
			delete_option('wps_ic_bg_stopping');
			delete_option('wps_ic_bg_process');
			delete_option('wps_ic_bg_process_done');
			delete_option('wps_ic_bg_process_running');
			delete_option('wps_ic_bg_process_stats');
			delete_option('wps_ic_bg_last_run_compress');
			delete_option('wps_ic_bg_last_run_restore');
		}
	} elseif ($what == 'css' || $what == 'js') {
		// Purge CSS/JS Cache
		$this->purge_cdn_assets();
	}
 
	self::$cacheIntegrations->purgeAll();
 
	update_option(WPS_IC_SETTINGS, $settings);
 
	wp_send_json_success();
}

So anyone logged in to WordPress can change the plugin’s settings. An attacker could cause anyone logged in to change settings through CSRF as well.

More Issues Probably Exists

Our Plugin Security Scorecard and Plugin Security Checker tools flag the plugin as possibly having yet more security issues.

Developer Notified

We reached out to the developer earlier today to let them known about the incomplete fix and offered to help them address it.

Free Warning

As some part of the vulnerability might be targeted by hackers, we are adding accurate data on it to the free data that comes with our Plugin Vulnerabilities plugin.

11 Feb 2025

WordPress Plugin Developers’ Assurances Their Plugins Are Secure Continue to Not Bear Out

We recently ran across a WordPress plugin developer claiming that a security partner was ensuring their plugin was secure. We had run across the plugin because the developer had continued to use a known vulnerable third-party library for 21 months. It turned out to not be the only known vulnerable library in the plugin. There also is an additional unfixed security issue caused by the security partner, Patchstack, failing to make sure a vulnerability was properly fixed or to provide the information needed for others to vet their false claim it was fixed. They are hardly the only plugin developer claiming that their plugins are secure. Can you trust their claims?

One way to try to determine the answer to that would be to look at the evidence they providing to back the claims up. But they don’t provide any. For example, the developer of the 80,000+ install WP ULike provides this information in a FAQ in response to the question “Is WP ULike secure?”:

Yes, developed by TechnoWich, WP ULike follows the latest security and coding standards, with over 80,000 active users and a high WordPress rating.

The install count and rating don’t have any stated connection with whether it is secure or not. They do claim to follow “the latest security and coding standards,” but provide nothing to support that.

You can get an incomplete automated independent assessment of the handling of the security of WordPress plugins with our Plugin Security Scorecard. Somebody did that today with this plugin (which led to us noticing the security claim by the developer), the tool identified multiple issues with the plugin:

One of them involves the developer misusing a security function, which disputes the claim they follow security standards. Specifically, they are using the PHP filter_input() security function without specifying a filter, so it doesn’t provide any security. Looking at the code in question, there isn’t a vulnerability, as the misused function isn’t actually needed:

149

$isUsingCloudflare = !empty(filter_input(INPUT_SERVER, 'CF-Connecting-IP'));

Another identified issue involves usage of a WordPress function, maybe_unserialize(), known to be insecure, where the response from WordPress to securing it has been to suggest that plugins don’t use the function instead of fixing it. That doesn’t seem a like a good response, but using it in spite of that in the plugin doesn’t seem to be in line with following security or coding standards.

As an automated tool, the Plugin Security Scorecard is limited in what it can check for, but considering the issues it identified with the plugin’s code and that the developer isn’t providing the results of a security review of the plugin, it wouldn’t be surprising that there are more issues. And there are. One example highlights that the plugin is missing some basic security, which gets close to a serious security vulnerability.

In the file /admin/settings/functions/actions.php, the function ulf_import_ajax() is made accessible to anyone logged in to WordPress through its AJAX functionality:

123

add_action( 'wp_ajax_ulf-import', 'ulf_import_ajax' );

The code in the function is missing a basic security check:

99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

  function ulf_import_ajax() {
 
    $nonce  = ( ! empty( $_POST[ 'nonce' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'nonce' ] ) ) : '';
    $unique = ( ! empty( $_POST[ 'unique' ] ) ) ? sanitize_text_field( wp_unslash( $_POST[ 'unique' ] ) ) : '';
    $data   = ( ! empty( $_POST[ 'data' ] ) ) ? wp_kses_post_deep( json_decode( wp_unslash( trim( $_POST[ 'data' ] ) ), true ) ) : array();
 
    if ( ! wp_verify_nonce( $nonce, 'ulf_backup_nonce' ) ) {
      wp_send_json_error( array( 'error' => esc_html__( 'Error: Invalid nonce verification.', 'ulf' ) ) );
    }
 
    if ( empty( $unique ) ) {
      wp_send_json_error( array( 'error' => esc_html__( 'Error: Invalid key.', 'ulf' ) ) );
    }
 
    if ( empty( $data ) || ! is_array( $data ) ) {
      wp_send_json_error( array( 'error' => esc_html__( 'Error: The response is not a valid JSON response.', 'ulf' ) ) );
    }
 
    // Success
    update_option( $unique, $data );
 
    wp_send_json_success();
 
  }

That missing security check being a capability check to limit what WordPress users can access the function. The code allows anyone who has access to a nonce, which is intended to prevent an attacker causing someone else to take an action, to update arbitrary WordPress options (settings). There is almost no situation where a plugin should have code allowing to update arbitrary settings, as that could allow an attacker to take control of a website. Instead, the developer should only allow certain options to be updated.

So who has access to the nonce? As far as we can tell, no one. As the code that generates that doesn’t appear to be used in the plugin. It looks to be connected to the paid “Pro” version of the plugin. So the insecure code really shouldn’t be in the plugin.

If an attacker logged in to WordPress could find another security issue that allows them to generate the needed nonce, they could, among other things, takeover the website.

Properly Assessing WordPress Plugins’ Security

The best way to assess the security of a WordPress plugin is a security review. Well, assuming the entity doing the review is really doing a security review, which isn’t always the case. If a developer is telling you their plugin is secure, they should be able to provide the results from a recent review to support that.

If a security review hasn’t been done, then our Plugin Security Scorecard can provide a much more limited assessment of the plugin’s security.

10 Feb 2025

WordPress Plugin Includes Version of Third-Party Library That Was Publicly Known to Be Vulnerable Years Before Plugin Was Even Released

As part of providing a more comprehensive view of the handling of the security of WordPress plugins through our Plugin Security Scorecard tool, we have been expanding the number of third-party libraries it can detect in plugins. If developers of those libraries disclose security advisories on GitHub for those libraries, we incorporate them into the results of the tool as well. Last week we added detection for the jQuery UI JavaScript library. It has already had someone run a plugin through the updated tool that caught the plugin containing a version of a library that contains multiple vulnerability according to the developer:

[Read more]

10 Feb 2025

WordPress Plugin Security Review: AspireUpdate

As part of the ongoing situation between Matt Mullenweg and the WordPress community, there has increased concern about various aspects of WordPress. One area of concern is the continued ability to get updates for WordPress software from the WordPress update infrastructure. That led to the release of a new plugin, AspireUpdate, as part of a larger project to provide alternative infrastructure, AspirePress. As part of our focus on supporting efforts to reform WordPress, we decided to do a security review of the plugin.

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]

4 Feb 2025

Patchstack Isn’t Actually Patching Vulnerabilities

You would reasonably think that a security company named Patchstack would be focused on patching security vulnerabilities, but it turns out they are not. In fact, they are actually making it harder for vulnerabilities to get patched.

If you head over to Patchstack’s homepage, they currently claim at the top of the page to offer the “fastest protection for WordPress security vulnerabilities” and claim to have
9,100+ virtual patches to protect you:” [Read more]

3 Feb 2025

CVE Actually Does Trust Open Source Implicitly and That Is a Problem

Last week the Security Developer-in-Residence at the Python Software Foundation Seth Michael Larson said he loved an article from Open Source Security. The article touched on an important issue with the CVE system, though, coming from an author, Anchore’s Josh Bressers, who seemingly has no idea what he is talking about. CVE is a system that is supposed “to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities”, with “one CVE Record for each vulnerability in the catalog.” What CVE actually is is a prime example of how much of the security industry is a scam. As the catalog is filled with information that is often misleading to outright false and lacks the basic information needed to make the information useful or to vet it.

The post at Open Source Security claimed that something being done by the Node.js project “is against the CVE rules” and that “[t]his is important because it can frame some of the discussion we see.” Those claims are not backed up by anything in the post or what is linked to in the post. The reality here is even if something is against the rules of CVE, the people running it have been very clear in their actions they don’t care if it is done by something they allow to submit information directly in to the catalog. [Read more]