In this episode, we discuss security data breaches, how flawed a lot of open source programs are with security, especially one person WordPress plugins. We also covered cionews.com, Yoast SEO, On The Go Systems premium plugin WPML and plenty more.
WPML owned by On The Go Systems is stellar, beyond stellar. They deeply care about security and will help all customers including current paying customers and those who are no longer paying when a severe threat emerges. Did we work with them to improve their security? Yes, we did, but that isn’t the point, the point is how they handled the security issues and how amazing they are with their customers.
On The Go Systems makes many WordPress Plugins and while we haven’t reviewed them all, we can say that security is a high priority for them, which says a lot about a company. They care about providing a good experience to their users both with usability and a secure experience.
We asked Amir Helzer, the owner of On The Go Systems his view on customer usability and security and this is a quote directly from him ”
We treat security as an ongoing effort. Ryan helped boost the security of our plugins and helped keep them secure. We started with an initial review which uncovered a number of issues to handle. Then, we kept working with Ryan to maintain the security of our plugins as we released new versions and as WordPress updated the general security advice for the entire project. The cost of the security review was little compared to the damage that we avoided to ourselves and our clients, if we had left security exploits in our products. “
SiteOrigin Widgets Bundle is used by over one million sites and is the newest WordPress plugin for us to fix and have for sale, because siteorigin widgets bundle has some vulnerabilities that can not be ignored and definitely would not be ignored if a criminal wanted to get into your site.
SiteOrigin has a lot of vulnerabilities and we’ve patched the most severe one today. Based on our code review this vulnerability would allow attackers to inject malicious code into the website, deface the site and cause other damage to it. This bug among a few other bugs are patched.
What does this mean to me?
It means that anyone could negatively impact your website brand and cause you a headache and a half due to this vulnerability per code review. We patched the most severe vulnerability that we found and have made it available to you, which is far more secure then the free version of Site Origin Widgets Bundle.
Update: upon further review we reaffirm our post, but make the following annotation; the severity of this issue maybe less then originally thought. We are continuing our evaluation and we will post our findings.
update: We completed our review of the code in the screenshot of this post and while we identified variables that would lead to severe vulnerabilities, we have not been able to find use of the vulnerable variables, however the classes are still vulnerable and need to be updated. The severity of this particular problem is low.
The WordPress plugin Optinmonster API has left over 500 thousand sites vulnerable to a security flaw. Thankfully we have a fix you can buy for this one vulnerability.
During our code review we discovered that the admin area is protected by a WordPress function called is_admin, which is a misunderstood function, that allows admins and unauthenticated users alike to access the information in optinmonster API. What does this mean to you, the user? It means that you can access the admin features, but so can criminals.
What does optinmonster protect using is_admin? At first glance it is just one line of code, so how bad could that actually be? It turns out that one line of code as you can tell is calling almost all of the rest of the code in the application.
Yes, the one line of code load_admin, loads everything that should be administrator only, but instead is accessible for all.
As you can tell above, the administrator menu, admin actions, reviews the admin has access to, the welcome page, the site content and the ability to save content among other things are accessible to anyone or any bot who logs onto the site. This is a severe vulnerability leaving the admin side of your site vulnerable, so we have written a patch for this one vulnerability in the WordPress plugin Optinmonster, also known as Optinmonster API. You can buy the more secure version of the WordPress optinmonster plugin on our site. We may patch more vulnerabilities in this plugin, but we can say that our version of WordPress plugin optinmonster is currently more secure then what is available and we can continue to update it to be more secure.
We provide updates for any plugin with over 500 thousand users for premium customers, all they have to do is ask us tell us what plugins they’re using that are popular and we will check the security of them.
Update: A new version of Paid memberships pro has been released to the WordPress repo, fixing the CSRF to stored XSS issue written about below, however anyone using paid memberships pro 1.9.2 or lower is still vulnerable. The sql injections still exist in many areas of the code, however some areas are protected, which we had yet to review. It does show improvement that two issues were fixed so quickly by the developer.
Paid Membership pro is a WordPress plugin that helps people buy your products and or services and is used on over 50 thousand sites, sadly the security is lacking. We were reviewing the plugin and discovered it is vulnerable to everything from sql injections and CSRF to stored XSS.While our information is usually locked down to paying customers, we decided it was in the best interest of the WordPress community to publicly expose these flaws. As always, Jetpack which is owned by Automattic reports this plugin as safe, due to the flawed way Jetpack decides if something is safe or not, which sadly gives users a false sense of security.
We reported Paid membership pro to WordPress security who removed the plugin from the WordPress repo. Unfortunately, removing a plugin from the WordPress repo does not help the affected users. Due to this problem, we believe public disclosure is best, especially since rewriting the plugin to fix all the issues in a timely manner would take a team of several people working solely on that project.
How is WordPress plugin Paid membership pro vulnerable to SQL injections?
This is a good question for those who aren’t used to security issues and the reason is simple. The developer either didn’t know about sql injection or didn’t know what to do about it. The code executes sql queries with little to no protection against sql injection. To put it simply, information that went into the database was not protected against criminals or researchers from manipulating data in the WordPress database, stealing all the data or doing whatever they like.
How is Paid Membership pro vulnerable to CSRF to stored XSS?
First it is important to explain that cross site request forgery, also known as CSRF and s XSS are two seperate security vulnerabilities tied together creating far more damage to the users site. CSRF allows a a researcher or criminal to copy a form or other code that needs CSRF protection to another website and then can trick a user to go to the site thus forcing them to unknowingly and unwittingly cause damage to their own website. In this case you had to be logged in as an admin who is tricked into clicking a damaging link. Again, in the case of the WordPress plugin Paid membership pro, the form in question is also vulnerable to stored XSS. Stored XSS, also known as stored cross site scripting allows a researcher or criminal to inject their own code into another website, whether that code causes damage or not is fully up to the attacker. In this case it caused defacement of the logged in admin panel and the site for users who are just visiting the site, which would’ve allowed the attacker to easily gain control of the entire WordPress site and cause damage to the users and the companies brand.
Here is an image of the stored XSS on Paid membership pro, where we simply made it show the number 1 to demonstrate that code could be ran. Any code, malicious or otherwise could’ve ran just for those who don’t understand that.
Where is WordPress plugin paid membership pro vulnerable to CSRF to stored XSS?
step 1: For csrf to stored xss login as admin and go to the admin panel.
Step 2: go to memberships and then click on add new membership level
step 3: There is no CSRF protection protecting this page, so it is vulnerable to CSRF.
Step 4: Go to parameter name and add in a simple ‘”><Script>
alert`1`</script> to get the vulnerability as seen above.
What should you do to protect yourself? At this point in time the only option is to switch plugins or have your team rewrite the code of the plugin, which is quite a task.
The best way to help protect other users is to share this article with others and alert them to this problem. If you want access to more WordPress security alerts and informative articles like this you will want to access our WordPress Plugin Security alerts. We will be doing write ups on plugins affecting over 200 thousand sites and another that affects 3 million sites for those who pay for access. We have yet to make our automated WordPress security plugin tool to automatically post to WordPress, so in the meantime we will provide updates for our customers often.