Elegant Themes Divi/Divi Builder/Extra/Bloom/Monarch Security Vulnerability

by James Golovich

This won’t be a typical full disclosure post. I will release that after sufficient time has passed to allow users to upgrade. The most I will say now is that logged in users had access to more than they should have. If your site does not have additional untrusted users this is not a major issue for you. Though everyone should upgrade immediately.

On 2/10/2016 I discovered a potential security issue with Elegant Themes Divi theme. Since I am not a customer of theirs I had some issues getting in touch with someone to disclose the information to, but after a few emails and a Twitter exchange I was able to convey the information.

In the interim, Elegant Themes had Securi do a complete code analysis to check for further issues and apparently they did not discover anything further than I already had.

On 2/17/2016 Elegant Themes released updated versions and contacted their customer list to tell them to upgrade. I haven’t seen the exact email sent.

I believe a customer of theirs tweeted out about the issue. I was going to wait to post this until Elegant Themes had a chance to do their own release.

I have not seen the updated code, but based on the description received it sounds like the issue should be resolved.

Affected Versions

  • Divi < 2.6.4
  • Diviv (legacy) < 2.3.4
  • Divi Builder < 1.2.4
  • Extra < 1.2.4
  • Bloom < 1.1.1
  • Monarch < 1.2.7

 

Formidable Forms < 2.0.22 Security Vulnerability

by James Golovich

Formidable Forms is a visual form builder WordPress plugin from Strategy 11. The free version has 200,000+ active installs which makes it one of the most popular contact form plugins for WordPress.

I noticed some potential security vulnerabilities in some of the more obscure AJAX actions they make available. Most of the actions are protected by a helpful function FrmAppHelper::permission_check() which checks if a user has the WordPress permission for the action as well as a valid nonce for the action. Kudos on implementing a system that makes it easy to be secure without duplicating code all over the place!

All of the actions uncovered require at least a valid WordPress account, but any account will work. If you are using this plugin, please update immediately.

Read more

Backup Guard < 1.0.3 Logged in users can upload arbitrary files

by James Golovich

Backup Guard is one of many WordPress plugins to designed to backup your site. The free version on wordpress.org claims to have 20,000+ active installs, there is no indication of how many installs the non-free version has. After disclosing this information the developer sent me a copy of the paid version, but I have not had time to investigate that code.

As of today, the included ChangeLog still does not have any release notes related to this version and I have not seen any announcements of any security issues.

I noticed several issues related to their handling of AJAX requests. One of them allowed a non-authenticated user to trigger a manual backup. Though by default it uses .htaccess to keep anyone from accessing the backup files directly. With the paid version it might have been possible to pass in a remote location to backup the file to, but I did not have the code available when I did my initial analysis to determine if that was possible.

The other AJAX commands required a valid WordPress account (not just admin), none of the commands did any further authorization so a normal user could do any of the actions. There are lots of actions to choose from, the most interesting to me was ‘backup_guard_importBackup’.

Read more