Same bug hits dozens of WordPress plugins, potentially affecting millions of websites

Potentially millions of WordPress websites may be exposed to hackers through a flaw that has seeped into multiple plugins through unclear recommendations in official WordPress documentation.

Security firm Securi today released a long but as yet incomplete list of WordPress plugins that share the same bug that may leave millions of websites — and their users — exposed to cross-site scripting attacks.

The flaw could allow an attacker to inject malicious code into the vulnerable site and have an otherwise benign site serve up malware to a browser.

With over one million installations, the Jetpack plugin from WordPress is one of the most popular of around 17 plugins that were patched during a coordinated effort over the past week involving plugin developers, WordPress’ security team and Securi. Other affected plugins include WordPress SEO, Google Analytics by Yoast, All in one SEO, Gravity Forms and at least a dozen other tools.

While the 17 plugins listed by Securi have been patched, Daniel Cid, Securi’s founder and CTO, said it had only analysed about 400 plugins for the bug, meaning it’s almost certain some of the more than 37,000 third-party WordPress plugins available are still vulnerable.

As for the 17 that have been patched, Cid advised users of them to update now. WordPress sites with automatic updates enabled should have received them today.

Why are so many sites affected by the same flaw?

The answer lies in WordPress’ official documentation. The bug and its link to the documentation were discovered by Joost de Valk, the developer of the Yoast Google Analytics and its WordPress SEO plugin, which were among the plugins patched this week that have over one million installations.

De Valk received a report that his SEO plugin contained an XSS flaw. After searching for how it came to be there, he discovered he’d introduced it by following recommendations in WordPress’ official documentation, known as the Codex.

“I, Joost, created the particular problem myself and was wondering how that had gotten by me, when I figured out that both the Codex and the developer documentation on WordPress.org for these functions were missing the fact that you had to escape their output. In fact, the examples in them when copied would create exploitable code straight away,” the developer said.

De Valk intended to release a patch independently last Wednesday but thought better of it after guessing that others may have made the same mistake. That realisation prompted the coordinated security release over the past week.

Securi’s Cid explained that an ambiguity in the official documentation “misled many plugin developers to use them in an insecure way”, in such a way that it encouraged the misuse of the add_query_arg() and remove_query_arg(), two popular functions used by WordPress plugin developers.

“The developers assumed that these functions would escape the user input for them, when it does not. This simple detail caused many of the most popular plugins to be vulnerable to XSS,” he said.

WordPress has also released updated guidelines explaining how to correctly use the functions and fix vulnerable plugins.

“Both add_query_arg() and remove_query_arg() have an optional argument to define the base query string to use. If this argument is undefined, it will use $_SERVER['REQUEST_URI'], which is unescaped. When printed out to a page, this could be used as an XSS attack vector,” WordPress.org explained.

“The easiest way to fix this in your plugin is to escape the output of add_query_arg() and remove_query_arg(). When it’s being printed to a page (for example as a link), you should use esc_url(). When it’s being used in HTTP headers or as part of a HTTP request (for example, as part of a location redirect header or in a wp_remote_get() call), you should use esc_url_raw().”

WordPress hasn’t released security patches for the platform itself since November last year, however vulnerable WordPress plugins have become a popular target for hackers. Earlier this month theFBI warned that ISIS sympathisers were exploiting un-patched WordPress plugins to spread propaganda by defacing vulnerable websites.

#ACSC

This article is brought to you by Enex TestLab, content directors for CSO Australia.