On Saturday, we had what appears to be a hacker probing for usage of the WordPress plugin OpenHook. The day before a new version was released with this changelog entry:
…
Late last week, third-party data we monitor showed what was possibly a hacker probing for usage of a WordPress plugin Elementor, which has 5+ million active installs according to WordPress, by the requesting this file:
/wp-content/plugins/elementor/readme.txt [Read more]
We don’t know why developers publicly publish details of security changes in their WordPress plugins before they are making them available to users, but that keeps happening. That has occurred with the plugin Loco Translate. The Subversion commit message for the latest changes to the plugin is:
…
As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. Recently that has started up again, with the plugin MobiLoud News being one of the new plugins. There was probing on our website two days for that plugin by requesting these files:
In beginning to check over the plugin figure out what a hacker would be interested in exploiting we found multiple vulnerabilities. What might be the most serious is an authenticated remote code execution (RCE) vulnerability that would allow an attacker to run arbitrary PHP code on the website. It could also be exploited through cross-site request forgery (CSRF). [Read more]
Yesterday we noted a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Newsletters, which was closed on Friday, that we happened across. Subsequent to that in our monitoring to keep track of indications that new versions of plugins have security fixes we noticed that a new version of the plugin had been submitted with “Security fixes”. That version doesn’t fix the vulnerability we had mentioned yesterday. When we started looking over that to see if there was something else that was fixed that we should add to the data set of plugin vulnerabilities for our service, we came across more unfixed vulnerabilities.
What we first ran across is a fairly serious vulnerability, an authenticated remote code execution (RCE) vulnerability, which is included in code that seems like shouldn’t exist even if better secured. [Read more]
In a yet another of far too many instances this has happened, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a brand new plugin being introduced with a vulnerability that seems like should have been caught through the security review that is supposed to happen new plugins are allowed in the Plugin Directory. This time it is an authenticated remote code execution (RCE) vulnerability in the plugin Master Popups Lite.
We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]
Occasionally our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities catches an easy to confirm vulnerability and that was the case with an authenticated remote code execution (RCE) vulnerability being introduced in to the plugin Groundhogg, which is also exploitable through cross-site request forgery (CSRF).
Since our Plugin Security Checker utilizes the same checks, it will alert you if plugins you use possibly contain the same type vulnerable code (and other types of vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]
Due to our monitoring for closures of the 1,000 most popular WordPress plugins we were notified that the plugin File Manager (WP File Manager), which has 300,000+ installs, was closed today. That a security vulnerability could have led to it being closed wouldn’t be surprising. That is in part due to one of the other plugins from the same developer, Duplicate Page, which has 700,000+ installs, being publicly known to contain multiple unfixed vulnerabilities for over a year (which no one on the WordPress side of things seems to care about), two of which we disclosed in October of 2017 after the developer didn’t respond to our notification to them of the issues. That is also in part due to the continued poor security of this plugin as well, including that it used to be fundamentally insecure and even when that was fixed it wasn’t fixed properly.
Once we were notified of the closure we started checking over the plugin to see if it had any obvious security issues. One of the things we do is to run the plugin through our Plugin Security Checker tool, which allows anyone to check for the possibility of some instances of security issues in WordPress plugins. That flagged that a function, mk_check_filemanager_php_syntax_callback(), was accessible through WordPress’ AJAX functionality to those logged in as well those logged out. The function named hinted that there might be something that shouldn’t be accessible to those not logged in at the very least. [Read more]
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through a recently added improvement to that we continue to find more remote code execution (RCE) related vulnerabilities, which isn’t a great sign about the security of WordPress plugins. This time it led to us finding an authenticated variant, which can also be exploited through cross-site request forgery (CSRF), which has been in the plugin WP-Stateless for six months.
Since our Plugin Security Checker utilizes the same checks, it will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]
From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that lead to that so that we can provide our customers with more complete information on the security of plugins they use.
…