Login

Tag Archives: REST API

22 Jan 2024

WordPress Plugin Developers Are Still Creating Vulnerabilities by Improperly Using the permission_callback for WordPress Rest API Endpoints

Back in November, the Automattic owned WPScan claimed there had been a vulnerability in a plugin that extends the very popular ecommerce plugin WooCommerce, which is also owned by Automattic. WPScan only got around to releasing any information about the claimed vulnerability this month. When we went to check on that, we found that the relevant code is still vulnerable, though less vulnerable than it was before. If the developer of the plugin was properly implementing the built-in security when using WordPress’ REST API they wouldn’t still have the vulnerability.

We are now four years in with the REST API being available in WordPress, but plugin developers are still not implementing a basic security element it introduced correctly. So it seems worth going through what is going wrong and how it can be fairly easily be fixed. [Read more]

13 Dec 2022

How to Properly Restrict Access to WordPress REST API Routes

The latest version of the WordPress plugin Download Monitor, which has 100,000+ installs, fixed a vulnerability, but the developer didn’t disclose that in the changelog. What makes the lack of disclosure stand out is that the developer had disclosed in the changelog for a recent version that they were fixing a security issue. The vulnerability had been attempted to be addressed in that previous version, but the fix was incomplete. As at least one of our customers was using the plugin, we checked on the fix and noticed it was incomplete. After we notified the developer of that, they fixed that up. The failed fix involved a failure to properly use the built-in security functionality of WordPress’ REST API, so it seems worth looking at what went wrong and how other developers can avoid that.

Until the latest version of the plugin, three REST API routes providing access to reports from the plugin were registered with the permission_callback set to “__return_true”: [Read more]

1 Nov 2022

Automattic’s WPScan Failed to Catch That WordPress VIP’s Co-Authors Plus Plugin is Still Disclosing Email Addresses

During the summer, one arm of the company closely associated with WordPress, Automattic, WPScan disclosed a vulnerability in plugin, Co-Authors Plus, maintained by another arm of Automattic. WPScan and others in Automattic appear to have failed to look all that closely at the issue, as the plugin still has a closely related vulnerability.

According to the documentation for the plugin, it is maintained by WordPress VIP: [Read more]

1 Nov 2022

Authenticated Information Disclosure Vulnerability in Co-Authors Plus

As detailed in a separate post, earlier this year it was disclosed the WordPress plugin Co-Authors Plus had contained a vulnerability that disclosed email addresses through a REST API route. That is still possible through another REST API route.

In the file /php/class-coauthors-endpoint.php, a REST API route to search for coauthors is registered: [Read more]

4 Jan 2022

Misuse of WordPress REST API Permission Callback Leads to Privilege Escalation Vulnerability in OMGF

Last week someone posted on the support forum for the WordPress plugin OMGF on the support forum for the plugin on wordpress.org about a claimed security vulnerability in the plugin. A moderator deleted that posting. The plugin hasn’t been updated, so either there wasn’t a vulnerability or the moderator hasn’t made sure it was addressed. So deleting the topic seems problematic.

After being notified of the message about deleting that topic, we checked over the plugin for obvious security issues and we found that the plugin does contain a vulnerability. The vulnerability would allow anyone logged in to WordPress to utilize the plugin’s capability to download fonts. It looks like that could be abused to fill up all the disk space available to the website, by downloading many copies of a font and having them saved in directories with different names. [Read more]

4 Feb 2019

The WordPress REST API Opening Up New Front for Security Vulnerabilities in WordPress Plugins

When it comes to the causes of security vulnerabilities in WordPress plugins we haven’t seen something truly new for some time, so that makes something we recently started seeing a pickup of, notable. That being vulnerabilities that are exploitable through WordPress’ REST API. The vulnerabilities are not caused by the REST API, but increasing usage of it in plugins is making more code accessible through it that isn’t properly secured. The API was introduced in WordPress 4.4, which was released back in December, 2015, so this comes with a bit of delay (maybe because developers were waiting till there was wide adoption of WordPress versions that supported it).

Right now we are continuing to evaluate how to respond to this in terms of things like our Plugin Security Checker and in the security reviews we do of plugins. For the latter, we are going to starting doing some checking over this type of code during upcoming reviews to get a better idea of what is going on, before considering official adding any checks related to it our reviews. [Read more]

16 Jan 2019

Vulnerability Details: Privilege Escalation in SG Optimizer

It probably shouldn’t come as a surprise that a web host that has partnered with the security company Sucuri, which doesn’t seem to understand security, doesn’t really have much concern for security of their customers. Unfortunately with the poor state of WordPress leadership it probably isn’t surprising either that said web host is one of three recommend by WordPress, despite the web host’s lack of concern for their customers security. That web host being SiteGround and their plugin being SG Optimizer.

[Read more]