29 September 2021 at 12:24 UTC
Up to date: 29 September 2021 at 15:41 UTC
Researchers declare 5 plugins use operate insecurely – however some maintainers disagree
UPDATED A massively standard GDPR compliance plugin for WordPress contained an authenticated, persistent cross-site scripting (XSS) vulnerability associated to the insecure use of PHP’s operate, in accordance with safety researchers.
Because of this, the CookieYes GDPR Cookie Consent & Compliance Discover plugin, which has a couple of million lively installations, now not makes use of the operate within the shortcodes module, as per a software update launched at present (September 29).
In a blog post revealed on September 24, Plugin Vulnerabilities, a WordPress safety service, mentioned it examined the 100 hottest plugins within the WordPress Plugin Listing for related points and recognized 5 in whole that used the operate insecurely.
The function imports variables into the native image desk from an array, changing array keys into variable names, and array values into variable values.
The researchers declare the 5 plugins’ use “the operate on person enter within the type of shortcode attributes”, thereby contravening PHP documentation, which warns builders to not “use on untrusted knowledge, like person enter (e.g. , )”, in addition to WordPress coding standards, which advise towards utilizing the operate in any respect.
They first began investigating after the operate surfaced in a July blog post during which a Jetpack safety researcher analyzed a neighborhood file inclusion vulnerability in WooCommerce Forex Switcher.
Plugin safety audit
In a subsequent blog post, revealed on September 16, Plugin Vulnerabilities then claimed that Jetpack itself, the most well-liked WordPress safety plugin with greater than 5 million installs, additionally used insecurely.
Steve Seear, Jetpack product engineering lead, advised The Every day Swig: “We haven’t been in a position to determine any exploitable points referring to using the operate within the Jetpack plugin. Nevertheless, now we have reevaluated using and have determined to take away all calls to that operate within the subsequent launch of Jetpack.”
The researchers have since disclosed that the problem was additionally current within the Superior Customized Fields plugin, which has greater than two million installs, and WordPress slider plugin MetaSlider, which is utilized by 700,000 web sites.
The maintainers of Superior Customized Fields advised The Every day Swig: “We’ve confirmed our use of extract is proscribed to locations the place person enter can not trigger any safety points. That mentioned, we’re nonetheless planning to take away the few situations of extract left in ACF’s codebase in an upcoming launch.”
The maintainers of MetaSlider have but to answer to our queries, however we’ll replace this text if and once they reply.
OceanWP refutes claims
The XSS flaw in CookieYes GDPR pertains to an absence of validation or sanitization on person enter, mentioned Plugin Vulnerabilities.
In one more blog post, revealed on Monday (September 28), Plugin Vulnerabilities claimed to have discovered successfully the identical bug in Ocean Further, a companion to the OceanWP theme with greater than 700,000 installs.
Nevertheless, a developer and buyer help supervisor for OceanWP has refuted claims Ocean Further misuses .
“The extract technique has been utilized in accordance with its objective – to assign every array key a variable position, to place it in layman’s phrases,” he advised The Every day Swig.
He mentioned the WordPress prohibition of pertains to debugging issues on the WordPress platform itself that don’t apply to Ocean Further “since we’ve used it solely together with shortcodes the place all values are predefined”.
He additionally factors out that Ocean Further has not been red-flagged by iThemes’ weekly rundown of WordPress vulnerabilities as a result of “they contain a human issue earlier than making any studies”, and that OceanWP’s use of can reveal whether or not Plugin Vulnerabilities’ claims have any benefit.
He mentioned OceanWP has not been contacted directed by Plugin Vulnerabilities over the problem.
Plugin Vulnerabilities’ newest weblog submit features a screenshot of a submit they submitted to the WordPress Help Discussion board notifying Ocean Further maintainers of the supposed vulnerability post-disclosure.
This text was up to date on September 29 with a response from the Jetpack safety staff.