Formidable Forms is a visual form builder WordPress plugin from Strategy 11. The free version has 200,000+ active installs which makes it one of the most popular contact form plugins for WordPress.
I noticed some potential security vulnerabilities in some of the more obscure AJAX actions they make available. Most of the actions are protected by a helpful function FrmAppHelper::permission_check() which checks if a user has the WordPress permission for the action as well as a valid nonce for the action. Kudos on implementing a system that makes it easy to be secure without duplicating code all over the place!
All of the actions uncovered require at least a valid WordPress account, but any account will work. If you are using this plugin, please update immediately.
Backup Guard is one of many WordPress plugins to designed to backup your site. The free version on wordpress.org claims to have 20,000+ active installs, there is no indication of how many installs the non-free version has. After disclosing this information the developer sent me a copy of the paid version, but I have not had time to investigate that code.
As of today, the included ChangeLog still does not have any release notes related to this version and I have not seen any announcements of any security issues.
I noticed several issues related to their handling of AJAX requests. One of them allowed a non-authenticated user to trigger a manual backup. Though by default it uses .htaccess to keep anyone from accessing the backup files directly. With the paid version it might have been possible to pass in a remote location to backup the file to, but I did not have the code available when I did my initial analysis to determine if that was possible.
The other AJAX commands required a valid WordPress account (not just admin), none of the commands did any further authorization so a normal user could do any of the actions. There are lots of actions to choose from, the most interesting to me was ‘backup_guard_importBackup’.
Last week there was a vulnerability published for the WooCommerce Store Toolkit WordPress plugin from Visser Labs. I’ll often take a look at vulnerabilities and how they are resolved. In this case I noticed that the fix only covered one part and furthermore other plugin were vulnerable to similar issues. Kudos to Michael Visser for taking all these issues in stride and getting them resolved quickly.
The following plugins all had similar vulnerabilities that have been resolved.
The most serious vulnerability is in this plugin. The woo_ce_admin_init() function is hooked by the ‘admin_init’ WordPress action (which happens when anything under the admin interface is loaded, not when an admin is logged in). The function checks the ‘action’ HTTP variable (GET or POST) and will perform many actions without further authorization.
The ‘export’ action does attempt to check a nonce but there is a small bug that renders it useless.
Because of the &&, if $_POST[‘woo_ce_export’] is never passed in then the nonce will not be checked. Which allows all kinds of fun stuff to be exported.
- 2/8/2016 Original advisory posted
- 2/9/2016 Sent additional information
- 2/10/2016 Updated versions released