Some WordPress Plugin vulnerabilities we’ve published recently
Most of my time recently has involved working with WordPress plugin security and I’d like to have a look at some of the security issues and themes which I’ve come across recently:
One of my day-to-day responsibilities is managing the quality assurance and reporting of security vulnerability reports which we produce as a result of the plugin reviews we do for our clients. This post talks about some of them.
Another is monitoring lots of feeds for plugin security vulnerabilities and adding them to our database – I’ll talk about that in a future post.
Advisories published by dxw
A security advisory is a technical report of a security issue, designed to help other people duplicate the issue, and explain to the author what they need to fix.
We follow a process called responsible disclosure, which involves reporting issues privately before publishing an advisory. Because of this, all of the following vulnerabilities have been fixed by the plugin authors in the latest version:
Reflected XSS in GD bbPress Attachments (details)
GD bbPress Attachments is an extension to the popular bbPress forum plugin which adds the ability to upload files.
This plugin contains a security weakness that allows an attacker to get full control over the admin pages of a website by adding JavaScript code into them.
An attacker would be able to automate anything an admin could do, for example creating and deleting user accounts and creating and deleting content. There would be almost no way to tell that this was happening.
Caveats
For this to happen, the administrator would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing – for example by imitating a spam notification.
It should be noted that some browsers (including Google Chrome) have built-in protection against this sort of attack.
Reflected XSS in The Events Calendar: Eventbrite Tickets (details)
The Events Calendar: Eventbrite Tickets is a paid extension to the Events Calendar plugin which adds functionality to sell tickets through Eventbrite.
It’s vulnerable to almost exactly the same issues as GD bbPress Attachments was.
CSRF and arbitrary file deletion in BuddyPress Activity Plus (details)
BuddyPress Embed Activity extends the BuddyPress social networking plugin to add features for embedding video and other media.
This plugin contains a security weakness that allows an attacker to delete files from the server. For this to happen, a logged-in user would have to be tricked into clicking on a link controlled by the attacker. It is easy to make these links very convincing.
Depending on how the server is configured, the attacker might be able to delete critical system files, but even on a tightly secured server they would be able to delete files from the Uploads directory.
The importance of inspecting plugin code
These vulnerabilities were all discovered as a result of code inspections of plugins our clients wanted to use. Checking the popularity and reviews of a plugin can be a very rough guide to security, as can assessing how responsive the maintainers are.
However, vulnerabilities are frequently discovered even in very popular plugins, so if there’s any significant impact of your site being hacked then it’s important that you get someone who understands security to inspect the code of plugins before you use them.
You should also consider arranging for regular penetration testing of your site and its infrastructure.
We offer a ‘security healthcheck’ service which addresses these points and more. If you’re a public sector organisation, you can procure it through our G-Cloud listing on the digital marketplace.