Login

Tag Archives: Cross-Site Request Forgery (CSRF)

12 Jun 2024

Privilege Escalation Vulnerability in Pretty Links

One of the changelog entries for the latest version of the WordPress plugin Pretty Links is “Security hardening.” Looking at the changes made, we found that a nonce check to prevent cross-site request forgery (CSRF) was added in the new version. Looking closer, we found that another security check was still missing and the vulnerability that had existed didn’t just involve CSRF. We have notified the developer of the missing security check, which is also still missing in other similar code, and offer to help them address it.

[Read more]

11 Jun 2024

Hacker Targeting Recently Incompletely Fixed Vulnerability in WordPress Plugin Icegram Express

Over the weekend, we had a hacker attempt to exploit a SQL injection vulnerability that turned out to be one fixed recently in the 90,000+ install WordPress plugin Icegram Express on our website. We don’t use the plugin, so the exploitation attempt appears to be part of an untargeted attempt to exploit this.

Upon reviewing the relevant code, we found that it still isn’t properly secured, and neither is other, similarly accessed, code. We have reached out to the developer about that. Based on the continued insecurity, we would recommend not using the plugin unless it has a more thorough security review and all the issues are addressed. [Read more]

10 Jun 2024

AI Helps Catch CSRF Vulnerability Being Introduced in to 100,000+ Install WordPress Plugin Modula

Three years ago, a prominent WordPress security provider claimed that increasing numbers of vulnerabilities claimed to be discovered in WordPress plugins was caused not by more vulnerabilities being introduced in to them, but by better detection of old vulnerabilities. And that plugins were therefore getting more secure. It was a problematic claim to make at the time, as among other reasons, their data source simply claims that vulnerabilities have existed in all versions of a plugin. (Their data source also counted a lot of fake claims of vulnerabilities.) It continues to be problematic, as the claimed number of vulnerabilities being discovered keeps increasing.

The reality here is that many developers of WordPress plugins are continuing to introduce new vulnerable code in to their plugins. WordPress could take actions to significantly reduce that, but they are not. One method to limit the damage that those two problems cause is detecting vulnerabilities being introduced in to plugins. One method we have for doing that for our customers is a form of AI, machine learning. We now run all changes being made to plugins used by our customers through a machine learning based system trained to try to identify when vulnerabilities are introduced in those updates. That flagged a recent update to the 100,000+ install plugin Modula. In reviewing the changes made, we found that the developer had failed to include a basic security check in new code, leading to a cross-site request forgery (CSRF) vulnerability. Existing code looks to be similarly vulnerable. [Read more]

6 Jun 2024

400,000+ Install WordPress Plugin Formidable Forms Is Missing More Basic Security Checks

In January, because at least one of our customers was using the 400,000+ install WordPress plugin Formidable Forms, we looked into a changelog entry for the then latest version of the plugin that suggested a cross-site request forgery (CSRF) vulnerability had been fixed. We confirmed that the developer had indeed addressed an instance of CSRF, but we also found that code similar to what was being fixed was still vulnerable to that. It turns out that version had also added yet another instance of the issue. That is striking since protection against CSRF is a really basic element of securing a WordPress plugin, so not something that should be an issue with such a popular plugin. The additional instance has yet another missing basic security check as well.

Last week, a new version of the plugin was released. The update was flagged by our system that uses machine learning, a form of artificial intelligence (AI), to try to detect when vulnerabilities have been fixed, but haven’t been disclosed, in plugins used by our customers. We found a security change being made, which changed the following line that was previously bringing in user input without sanitizing it (which is yet another security issue): [Read more]

3 Jun 2024

Developer of Million+ Install WordPress Plugin Discloses Security Vulnerability Without Making Update Available

A lot of things can go wrong in trying to fix vulnerabilities in WordPress plugins, sometimes things go wrong in an intentional way. That is the case with a vulnerability in the 1+ million install WordPress plugin Loco Translate. A week ago, the developer submitted a change for the plugin that fixes a vulnerability in the plugin. What they didn’t do was to release a new version of the plugin so that those using the plugin can update to a fixed version. While sometimes developers forget to bump the version number of the plugin, causing that situation. Here the developer is making changes to the plugin publicly before releasing a new version. That isn’t a good idea for security vulnerabilities, since it is possible to monitor for security changes, as we do, and notice such a situation.

In the submission to fix the vulnerability, the developer wrote “Fixed a missing security check – thanks Nosa Shandy.” The referenced security check is a nonce check, which prevents cross-site request forgery (CSRF). CSRF would allow an attacker to cause someone else to take an action they didn’t intend to. The vulnerability being fixed allowed that to occur when changing or resetting the advanced configuration options of a plugin or theme translation bundle from the plugin. [Read more]

29 Feb 2024

AI Helps to Detect Incomplete Security Fix Being Made to 1+ Million Install WordPress Plugin WP File Manager

We often find that attempts to fix vulnerabilities in WordPress plugin have been incomplete or failed entirely, including with vulnerabilities could certainly be targeting. For us to be able to find that, we have to know that a vulnerability was supposed to have been fixed. Developers don’t always disclose that vulnerabilities have been fixed. While that could be defensible in limited circumstances for serious vulnerabilities likely to be exploited, it usually isn’t that situation when it happens. One method we have to determine that vulnerabilities have been attempted to be fixed is using machine learning, a form of artificial intelligence (AI), to try to detect relevant changes being made to the code of plugin in the WordPress Plugin Directory. That monitoring flagged just such a change made yesterday to the 1+ million install plugin WP File Manager. The changelog for the change wouldn’t suggest a security fix as it reads, “Fixed Language issue.”

Looking at the changes made, it isn’t hard to see why it was flagged, as a nonce check, which prevents a type of vulnerability, cross-site request forgery (CSRF), was being added: [Read more]

28 Feb 2024

WooCommerce Vulnerability Listed as Being Fixed in Upcoming Release Was Already Fixed

In January, multiple WordPress security providers falsely claimed that a vulnerability had been fixed in the WooCommerce plugin. The situation was made more problematic because one of them said it was fixed in a version of WooCommerce that was newer than the version currently available. This situation was partially caused by the developers of WooCommerce having a changelog entry for security improvement included in the changelog for the wrong version of the plugin. That has happened again, only this time there really is a vulnerability, though a minor one, being fixed.

Yesterday, a beta version of WooCommerce 8.7.0 was submitted to the WordPress Plugin Directory. The changelog added for it suggests that will be released on March 13. One of the entries was flagged by our systems as possibly referring to a fix for a vulnerability: [Read more]

20 Feb 2024

Cross-Site Request Forgery (CSRF) Vulnerability in IP2Location Country Blocker

The changelog for the latest version of the WordPress plugin IP2Location Country Blocker is “Fixed CSRF replace on API key value.” In looking into that, we found that there is still the same cross-site request forgery (CSRF) issue with a related function in the plugin.

[Read more]

7 Feb 2024

Nearly 10 Year Old Vulnerability Fixed in WordPress Security Plugin All-In-One Security (AIOS)

The changelog for the latest version of the 1+ million install WordPress security plugin All-In-One Security (AIOS) is:

SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records. [Read more]

2 Feb 2024

Cross-Site Request Forgery (CSRF) Vulnerability in Easy Digital Downloads

The changelog for the latest version of Easy Digital Downloads has a couple of entries that suggest that security changes have been made to the plugin. In looking over the changes that were made, we found an undisclosed minor vulnerability fix happening. As the relevant code was being moved and reformatted, it seems possible that this wasn’t addressed as a vulnerability fix, so it wasn’t mentioned in the changelog. Or it was being hidden (that happens, unfortunately). The vulnerability involved cross-site request forgery (CSRF) and we found an additional instance of it in similar code that still exists in the plugin. We have notified the developer of that and offered to help them fix it.

[Read more]