Since we have been reviewing publicly disclosed security vulnerabilities in WordPress plugins to add them to our Plugin Vulnerabilities plugin, one of the things that has stood out to us is how long it can take for vulnerabilities to get fixed. Part of what makes this stand out is that in many of the cases fixing the vulnerability is quite easy, so it seems that many developers are just not too concerned about keeping their plugins are secure.
Let’s take a look at recent example of this. Back in March g0blin Research discovered an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin AddThis Sharing Buttons (formerly Smart Website Tools by AddThis). This plugin currently has over 200,000 active installs according to WordPress.org, has 12 listed authors, and is developed a private corporation of the same name. The vulnerability was caused by an Ajax function that should only be accessible to Administrator level users being accessible to any registered user. That severely limits the potential danger of the vulnerability since most WordPress based websites do not allow the public to create accounts, so someone relatively trusted with malicious intent would be required for the vulnerability to be exploited. It also should make it quite easy to fix, but as the timeline included with advisory (show below) shows it took the developers over two months to fix the issue:
2015-03-19: Discovered
2015-03-19: Vendor notified
2015-03-19: Vendor responded – link to report provided
2015-03-20: Version 4.0.7 released – issue still present
2015-03-26: Vendor responded with intent to fix
2015-03-31: Update requested from Vendor
2015-04-07: Vendor responded stating that a fix is in progress
2015-04-13: Update requested from Vendor
2015-04-16: Vendor states that fix is undergoing QA
2015-05-04: Update requested from Vendor
2015-05-11: Update requested from Vendor
2015-05-12: Vendor states that fix was rejected by QA, has been redeveloped and has been passed back to QA for re testing.
2015-06-01: Notified vendor of intention to contact WordPress Plugins team
2015-06-03: Version 5.0.4 released – issue resolved
2015-06-10: Advisory released
So what does it take to get this type of issue fixed?
There are two functions that are often used to check if someone is Administrator level user. The more widely used is to check if the user has the capability to manage_options:
current_user_can( ‘manage_options’ )
That capability is normally only provided to Administrator level and above users, and allows access to WordPress settings pages. That would be particular relevant for fixing this vulnerability as the vulnerable Ajax function is something that would have normally be accessed from a settings page.
The second function checks if a user is a Super Admin or Administrator:
is_super_admin()
With that function if network mode is enabled (WordPress MutliSite) it will return true if the user is a Super Admin and when network is not enabled it will return true if the user is an Administrator. Beyond the implications that this has with MultiSite websites, there is a potential that someone will accidentally use is_admin when they meant to user is_super_admin. That would be a security problem of its own, as is_admin only checks if an administrative page is being requested and “does not check if the user is logged in, nor if the user even has access to the page being requested”.
So what did the AddThis Developers come up after months and having a fix rejected by quality assurance?
First up is the relevant function before being fixed:
public function addthisAsyncLoading()
{
if ($this->_checkAsyncLoading()) {
$updateResult = $this->updateSettings($this->_postVariables);
}
die; //exit from the ajax request
}
Here is the fixed version (fix bolded):
public function addthisAsyncLoading()
{
if (current_user_can( ‘manage_options’ ) && $this->_checkAsyncLoading()) {
$updateResult = $this->updateSettings($this->_postVariables);
}
die; //exit from the ajax request
}
Why it two months to add less than a line of code is something we don’t understand. It could have been worse, in another case with the same failure to check on a user level, it to the plugin being pulled the plugin from the Plugin Directory for the vulnerability to be fixed (following us reporting it to Plugin Directory).