Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Settings Reset

16 Nov 2023

1+ Million Install WordPress Plugin Duplicator Hardening Update Actually Fixes CSRF Vulnerability

One step that WordPress could do to make it easier to see if updates to WordPress plugins are supposed to have fixed security issues would be to require developers to include their changelog in the plugin’s listing on the WordPress Plugin Directory. Right now that isn’t the case, so you have plugins, including the 1+ million install plugin Duplicator, which require you go elsewhere to check it. That also makes it harder to flag possible security updates in an automated fashion. As at least one of our customers uses that plugin, a monitoring system we have checks to see if the changelog has been updated. Today that alerted us to an update, which has this changelog: “[FIX] Implemented hardening for the plugin recommended by Dmitrii Ignatyev from Cleantalk”. Checking on the changes, we found that isn’t exactly an accurate description. As the hardening, as they put it, fixed a cross-site request forgery (CSRF) vulnerability.

That lack of clarity brings up another improvement that WordPress could make. A clear requirement as to how developers should disclose in the changelog that security issues being fixed in their plugins. It isn’t uncommon to find developers not disclosing security fixes at all or doing so in a way that you wouldn’t realize it was a security fix, as was twice the case with the same vulnerability in WooCommerce. [Read more]

15 Nov 2023

WooCommerce Extending Plugins Might Not Actually Be Written With All WordPress Security Standards in Mind

Recently the developer of a WordPress plugin that extends WooCommerce responded to a claim that there plugin contained a vulnerability by stating that the plugin has “no known vulnerabilities and is written with all wordpress security standards in mind taking precaution to avoid such an issue.” Can you trust that sort of claim? In our years of experience, no. Plugin developers often make strong claims about their handling of security that turn out not to be true. That turned out to not be true with this plugin, WooCommerce Product Table Lite, as well. For those looking to make sure plugins they use are actually secure, they should look for plugins that has had an independent security review done or get ones done for plugins.

Like another plugin we discussed this week, where the developer had missed a vulnerability despite claiming to have done multiple audits, this situation involved a vague claim from a security provider named Patchstack that the plugin contained a cross-site request forgery (CSRF) vulnerability. This plugin also contained such an issue that wasn’t hard to find and involved a failure to implement basic security. After finding it, we contacted the developer. We let them know what appeared to be at issue, linked to the relevant WordPress documentation to address it, and offered to help them with that issue. They have now addressed the vulnerability. [Read more]

10 Nov 2022

Authenticated Settings Reset Vulnerability in WooCommerce Fraud Prevention Plugin

As detailed in a separate post, we took a look at the WordPress plugin WooCommerce Fraud Prevention Plugin after seeing it mentioned in a news story. We found it is insecure and that the security leads to at least one vulnerability, as anyone logged in to WordPress can reset the plugins settings.

The plugin registers the function wcblu_reset_settings() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress: [Read more]