The last few months have seen a significant uptick in WordPress plugin vulnerabilities, and judging by advisories issued this week regarding another another pair of insecure plugins, the trend will likely continue for the time being.
The first vulnerability, discovered by security firm High Tech Bridge, exists in eShop, a shopping cart plugin for the content management system. According to WordPress’ plugin directory, despite boasting more than 10,000 active installs and more than 600,000 downloads, eShop hasn’t been updated in nearly two years.
An insufficient validation issue in eShop’s HTTP cookie is the problem here. The cookie’s user-supplied input could be exploited by an attacker to overwrite arbitrary PHP variables, which could lead to full path disclosure and cross-site scripting.
Researchers at High Tech Bridge discovered the bug on April 15 and made three attempts to contact the plugin’s author, Rich Pedley, but have failed to receive a reply back. Questions posed by the plugin’s users have gone unanswered in its forum, and eShop’s last update, version 6.3.11, came 20 months ago, suggesting there won’t be a fix for the issue anytime soon.
The issue is the second eCommerce bug High Tech Bridge has dug up in the last week. Last week the firm publicized that it had found a PHP file inclusion bug and several XSS bugs in CartPress. Like the eShop vulnerabilities, the firm disclosed the CartPress issues after making three unsuccessful attempts to contact its developers.
The second vulnerability doesn’t involve a plugin as much as it involves a package used by a plugin.
Genericons, an icon package that figures into the Jetpack plugin and the TwentyFifteen WordPress theme, suffers from a DOM-based Cross-Site Scripting (XSS) vulnerability. With more than one million installs, Jetpack, which helps users with customization, visitor engagement, and site security, is one of the platform’s more popular plugins. Like Jetpack, the TwentyFifteen theme is popular and deployed by default in most WordPress installs.
“What’s more concerning here is the reach the plugin and theme have combined; they are installed in many cases, by default in all WordPress installations,” David Dede, a malware researcher at Sucuri, who discovered the issue and disclosed it yesterday, wrote.
An unnecessary .html file bundled in the package is to blame for the vulnerability and researchers are encouraging anyone who runs a plugin that uses genericons to simply remove the .html file.
As Sucuri notes, to carry out a DOM-based XSS, an attacker would have to trick a user into clicking on an exploit link to get execute their payload directly in the victim’s browser.
As prevalent as Jetpack and TwentyFifteen are, fortunately, nearly a dozen WordPress hosts – GoDaddy, WPEngine, and Pagely to name a few – preemptively patched the issue in the week’s leading up to Sucuri’s disclosure.