Tag: wordpress

WP All Import Vulnerability

February 26, 2015

If you use WP All Import or WP All Import Pro you should upgrade immediately to fix several severe vulnerabilities! Check out the WP All Import Vendor Announcement.

Monday February 23rd 2015 started off as a normal day. I was looking into an issue someone was having using WP All Import to import some data into a custom post type (CPT).

I’d never used WP All Import before, so I downloaded a copy from wordpress.org and set it up (very easy BTW). Unfortunately, I was blocked because you need a free version to import CPT. I decided to open up the source to look and see how it was actually inserting the CPT data, as long as I could see how it was working I could solve the original issue and go on with my day. After a few minutes looking at the code some familiar patterns jumped out at me and I knew I had to investigate further.

As soon as I realized there was something worth reporting I sent an email to support@wpallimport.com requesting a direct contact email for someone. I didn’t want to release information to an address that auto posts to a public tracker, or worse, not read at all.

Later that evening I was contacted directly by Louis Reingold requesting some more information. I provided detailed information about the potential vulnerability and right away he replied saying they would get it fixed asap and alert their customers.

I suspect Max their developer had a late night working on the issues. While I went to bed, I received 2 emails through the night and a bounty via paypal (Thanks! Other vendors take note!)

After a couple of followup emails I received an updated version of the code (the Pro version too! I’ll have to remember to check back into that original issue) and noticed almost everything was fixed but pointed out a bit more that needed fixed.

Versions Affected

WP All Import < 3.2.4
WP All Import Pro < 4.1.1

Full Disclosure

After sufficient time has been given for WP All Import users to upgrade I will release more information about these vulnerabilities.

Update: It has been sufficient time, I’ve posted the
WP All Import Vulnerability Breakdown

Easy Digital Downloads 2.1 Vulnerabilities

by James Golovich

December 12, 2014

On 12/5/2014 I contacted Pippin Williamson at Easy Digital Downloads to notify of some discovered security issues. He was very thankful and quick to resolve these issues and on 12/9/2014 version 2.2 was released.

Unfortunately there was not any explicit notification in the release notes of any security vulnerability, but they were visible in the github commit messages. It is recommended you upgrade right away, especially if you are selling products and like to get paid!

There were two classes of vulnerabilities discovered. The first was the typical not verifying the user has proper permission/nonce of an AJAX request. The second, which is apparently not a bug but an intentional feature, allows any action/filter that starts with ‘edd_’ to be called.

Some of the capabilities these vulnerabilities allow:

Logged in users (not just admin) can update prices on arbitrary items
Anyone can display a list of all banned emails
Anyone can change tax rates
Anyone can mark arbitrary orders as paid without actually paying

If you are a plugin developer that extends the Easy Digital Downloads plugin, make sure that any actions/filters you add that begin with ‘edd_’ are properly checking permissions.

ThemeBlvd theme framework vulnerability

by James Golovich

December 8, 2014

The ThemeBlvd theme framework doesn’t properly authenticate if a user is able to commit specific actions. We uncovered two specific vulnerabilities in their product and notified the vendor. This release was made after the vendor notified us a fix was released.

The first could be used to damage a WordPress site and possibly could be used for much more.

/** * Clear set of options. Hooked to "admin_init". * * @since 2.3.0 */ function themeblvd_clear_options() { if ( isset( $_POST['themeblvd_clear___options'] ) ) { $option_id = $_POST['themeblvd_clear___options']; delete_option( $option_id ); add_settings_error( $option_id , 'clear_defaults', __( 'Options cleared from database.', 'themeblvd' ), 'themeblvd-error error fade' ); } }

This code doesn’t authenticate the user in any way, so it allows any user to delete an arbitrary option from the wp_options table.

The second vulnerability allows a user to set any of their user_meta data to ‘true’. Which could be leveraged for additional access.
function themeblvd_disable_nag() {

global $current_user;

if ( isset( $_GET[‘tb_nag_ignore’] ) ) {
add_user_meta( $current_user->ID, $_GET[‘tb_nag_ignore’], ‘true’, true );
}
}

I notified the author Jason Bobich on 11/2/2014. The first issue was fixed around 11/26/2014 and the second around 12/9/2014.

Themes Affected

WP Jump Start (version 1.2.4)
Alyeska (version 3.1.4)
Akita (version 2.1.4)
Arcadian Responsive (version 2.0.5)
Swagger (version 2.1.4)
Commodore (version 3.0.2)
Barely Corporate (version 4.1.4)

Plugins Affected

Theme Blvd Shortcodes (version 1.5.2)
Theme Blvd Widget Areas (version 1.2.2)
Theme Blvd Layout Builder (version 2.0.1)
Theme Blvd Sliders (version 1.2.3)