WordPress plugin safety audit finds dozens of vulnerabilities impacting 60,000 web sites

Unauthenticated SQL injection bugs put 1000’s of WordPress websites underneath menace

A researcher at safety agency Cyllective has unearthed vulnerabilities in dozens of WordPress plugins, affecting tens of 1000’s of installations.

Dave Miller, who leads Cyllective’s penetration testing staff, says they began out testing randomly chosen plugins, shortly discovering an unauthenticated SQL injection vulnerability.

Additionally they discovered a collection of native file inclusion and distant code execution (RCE) vulnerabilities. Nevertheless, as these points had been present in severely outdated plugins, the staff determined to pay attention its efforts on people who have acquired updates within the final two years – round 5,000 plugins in complete.

Uncovered endpoints

Wanting notably for unauthenticated SQL injection vulnerabilities, the researcher used a system of tags to determine plugins displaying interplay with the WordPress database; string interpolation in SQL-like strings; safety measures referring to sanitization makes an attempt; and publicity of unauthenticated endpoints.

And after three months’ analysis, says Miller, the end result was a complete of 35 vulnerabilities, all of which may have been exploited by unauthenticated attackers, affecting round 60,500 cases working the affected WordPress plugins.

RELATED Unpatched plugins threaten hundreds of thousands of WordPress web sites

“Though the overwhelming majority of the vulnerabilities I reported had been unauthenticated SQL injection vulnerabilities, which might have enabled an attacker to dump the complete WordPress database contents, these weren’t essentially the most devastating ones,” Miller tells The Every day Swig.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary choices replace flaw, which might have allowed an attacker to maliciously allow the registration performance and set the default person function to that of an administrator.”

This, he says, would basically permit an unauthenticated attacker to create a brand new administrator account and take over the WordPress occasion. And, from there, the attacker would be capable to add malicious PHP information, which might grant the attacker distant code execution capabilities on the underlying server as a low-privileged person.

On the lookout for patterns

With a bit extra engineering, says Miller, the staff’s tag technique might be used to high quality flaws apart from SQL injection vulnerabilities.

“New patterns would have to be developed which seize the specifics of the vulnerability class to have the ability to detect them,” he says. “Some vulnerability courses are, nonetheless, exhausting and even unattainable to detect with this strategy.”

Learn extra of the most recent WordPress safety information

Miller says that, regardless of the massive variety of vulnerabilities found, the disclosure course of went easily, with the staff reporting every vulnerability because it was found – from time to time, as many as 4 or 5 per day.

“WPScan [a WordPress security vendor] coordinated the method of communication between all of the events concerned – researcher, plugin creator and the WordPress plugin staff – in a well timed method,” he says.

And, he provides, the staff remains to be working via extra plugins, with extra vulnerabilities being found and responsibly disclosed.

“Safety is in the end the accountability of the plugin developer, and the Plugin staff encourages this to the perfect of its potential,” a WordPress spokesperson tells The Every day Swig.

“To this finish, pointers exist for plugin authors to seek the advice of earlier than submitting plugins to the listing. All builders are anticipated to abide by these pointers. As well as, they’ve at their disposal a Plugin Handbook that covers safety greatest practices.”

DON’T MISS W3C launches Decentralized Identifiers as an online normal