The weekly list is a collection of plugins and/or themes that have had vulnerabilities disclosed within the last week. I’ve historically created these weekly vulnerable plugin reports for the WordPress admins at the University of Missouri campus as a way to help them identify plugins and themes that need to be updated quickly. I began sharing the list publicly last fall. As more and more institutions began asking me to add them to my list, we felt it would be a good idea to share this resource here on WPCampus.
There are nine unfixed vulnerabilities across five plugins this week. The vast majority of this week’s unfixed vulnerabilities all come from a single author. Unfortunately, he reused the same chunk of vulnerable code across all of his plugins. Specifically, when processing POST data, he did not include a nonce, or other check, to ensure that the user intended to initiate the save action, leaving his code open to a Cross-Site Request Forgery vulnerability. In addition, there is no validation, filtering or sanitation performed on the data before he saves the information to the database. He then later echoes that data back out to the browser without any escaping, leaving the code, and more importantly the user, open to Cross-Site Scripting vulnerabilities. An attacker could therefore combine these two vulnerabilities to steal an Admin’s session IDs on a target WordPress site.
BlackArch released the latest version of their PentTesting toolkit yesterday. It now contains over 1800 tools of which are several WordPress-specific tools, including one that I’ve been playing with recently, WPSeku. As a general WordPress scanning tool, I still find WPScan to contain more immediately-usable information, but WPSeku allows you to define a target file and a collection of parameters that you can then have it fuzz against for SQL Injection, Cross-Site Scripting and Local File Inclusion vulnerabilities. From a development standpoint, I’ve been using it to test against my own themes/plugins as a tertiary way to make sure I haven’t overlooked or missed something. Install it locally, or grab the OVA virtual machine image of BlackArch and start testing against your local development instance of your sites and see what you discover.