One of the changelog entries for the latest version of the Brave Conversion Engine is “Fixed: SSFR vulnerability.” That would presumably be a reference to a server-side request forgery (SSRF) vulnerability. Looking into that, it seems the SSRF element of that is limited, but there is still a vulnerability that hasn’t been resolved here. We have reached out to the developer about that and offered to help them address it.
…
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious vulnerability, a server-side request forgery (SSRF) vulnerability, being introduced in to the plugin UpdraftCentral Dashboard.
We now are also running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. [Read more]
The changelog for the latest version of the WordPress plugin All-in-One Video Gallery is:
…
With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we review a lot of code that ends up not being vulnerable, so even if the flagged code looks rather concerning it doesn’t raise a lot of concern at first for us even, if like the code flagged in the plugin Social Warfare, which we will get to in a moment, indicates there might be a very serious vulnerability. When we checked over the rest code related to the flagged code with that plugin we found that the plugin allows anyone to change the plugin’s settings and that could be used to cause persistent cross-site scripting (XSS), which is just the sort of vulnerability hackers have shown a lot of interest in recently. The plugin has 70,000+ active installations according to wordpress.org, which makes it all the more likely that would be exploited.
Our Plugin Security Checker flags the same code as possibly being vulnerable, though it gets flagged by that for a less serious issue, server-side request forgery (SSRF). [Read more]
Last week two of the 1,000 most popular WordPress plugins were closed and we found that both of those contained security vulnerabilities that seemed unrelated to the closure. That doesn’t seem to paint a great picture as to the security of WordPress plugins or for the concern for security by the people running the WordPress Plugin Directory. It’s now a new week and the story continues. Earlier today another one of the 1,000 most popular plugins, Essential Addons for Elementor, which has 100,000+ installs was closed. Since then a couple of updates have been made to the plugin, which may or may not be related to the closure. We didn’t see any obvious security changes in those updates, so we went to check to see if there were any obvious security issues that remain in the latest version, since we are interested in warning our customers if they are using vulnerable plugins. A few checks in, we found multiple security issues with the plugin, for now we will detail an authenticated server-side request forgery (SSRF) vulnerability, which can also be exploited through cross-site request forgery (CSRF).
If the developer or someone else wants the plugin more fully review for security, we offer security reviews for a fee (and also allow customers of our main service to suggest/vote for plugins to get a review from us for no additional fee). [Read more]
One of the impediments we see to improving security of WordPress plugins (as well as security in general) is that security journalist don’t provide a good picture of what is and isn’t going on, so others don’t understand what is actually needed to be done to improve the situation. One recent example comes from Catalin Cimpanu at ZDNet’s Zero Day blog who put forward this one sided (at best) portrayal of the handling of the security of WordPress plugins by the people on the WordPress side of things:
Campbell says the WordPress team has been collaborating with the authors of the most popular plugins on its Plugins repository. It’s been helping these plugins follow best coding practices. [Read more]