A hugely popular GDPR compliance plugin for WordPress contained an authenticated, persistent cross-site scripting (XSS) vulnerability related to the insecure use of PHP’s extract() function, according to security researchers.
As a result, the CookieYes GDPR Cookie Consent & Compliance Notice plugin, which has more than one million active installations, no longer uses the extract() function in the shortcodes module, as per a software update released today (September 29).
In a blog post published on September 24, Plugin Vulnerabilities, a WordPress security service, said it tested the 100 most popular plugins in the WordPress Plugin Directory for similar issues and identified five in total that used the extract() function insecurely.
extract() guidance
The extract() function imports variables into the local symbol table from an array, converting array keys into variable names, and array values into variable values.
The researchers claim the five plugins’ use “the function on user input in the form of shortcode attributes”, thereby contravening PHP documentation, which warns developers not to “use extract() on untrusted data, like user input (e.g. $_GET, $_FILES)”, as well as WordPress coding standards, which advise against using the function at all.
They first started investigating extract() after the function surfaced in a July blog post in which a Jetpack security researcher analyzed a local file inclusion vulnerability in WooCommerce Currency Switcher.
Plugin security audit
In a blog post published on August 4, Plugin Vulnerabilities said it suggested to Jetpack developer and WordPress.com operator Automattic that “they could help to address the insecure usage of extract() in plugins on a wider scale, as about half of the WordPress security team are employees of that company”, but didn’t get a response.
In a subsequent blog post, published on September 16, Plugin Vulnerabilities then claimed that Jetpack itself, the most popular WordPress security plugin with more than five million installs, also used extract() insecurely.
The researchers have since disclosed that the issue was also present in the Advanced Custom Fields plugin, which has more than two million installs, and WordPress slider plugin MetaSlider, which is used by 700,000 websites.
The maintainers of Advanced Custom Fields told The Daily Swig: “We’ve confirmed our use of extract is limited to places where user input cannot cause any security issues. That said, we are still planning to remove the few instances of extract left in ACF’s codebase in an upcoming release.”
Automattic and the maintainers of MetaSlider have yet to reply to our queries, but we will update this article if and when they respond.
OceanWP refutes claims
The XSS flaw in CookieYes GDPR relates to a lack of validation or sanitization on user input, said Plugin Vulnerabilities.
In yet another blog post, published on Monday (September 28), Plugin Vulnerabilities claimed to have found effectively the same bug in Ocean Extra, a companion to the OceanWP theme with more than 700,000 installs.
However, a developer and customer support manager for OceanWP has refuted claims Ocean Extra misuses extract().
“The extract method has been used in accordance with its purpose – to assign each array key a variable role, to put it in layman’s terms,” he told The Daily Swig.
He said the WordPress prohibition of extract() relates to debugging issues on the WordPress platform itself that do not apply to Ocean Extra “since we’ve used it only in combination with shortcodes where all values are predefined”.
He also points out that Ocean Extra has not been red-flagged by iThemes’ weekly rundown of WordPress vulnerabilities because “they involve a human factor before making any reports”, and that OceanWP’s use of get_trail() can reveal whether Plugin Vulnerabilities’ claims have any merit.
He said OceanWP has not been contacted directed by Plugin Vulnerabilities over the issue.
Plugin Vulnerabilities’ latest blog post includes a screenshot of a post they submitted to the WordPress Support Forum notifying Ocean Extra maintainers of the supposed vulnerability post-disclosure.
Source: https://portswigger.net/daily-swig/wordpress-security-cookieyes-gdpr-plugin-patches-xss-bug-following-large-scale-php-audit