Home » wordpress » Page 10

Tag: wordpress

Easy Digital Downloads 2.1 Vulnerabilities

Easy Digital Downloads

On 12/5/2014 I contacted Pippin Williamson at Easy Digital Downloads to notify of some discovered security issues.  He was very thankful and quick to resolve these issues and on 12/9/2014 version 2.2 was released.

Unfortunately there was not any explicit notification in the release notes of any security vulnerability, but they were visible in the github commit messages.  It is recommended you upgrade right away, especially if you are selling products and like to get paid!

There were two classes of vulnerabilities discovered. The first was the typical not verifying the user has proper permission/nonce of an AJAX request. The second, which is apparently not a bug but an intentional feature, allows any action/filter that starts with ‘edd_’ to be called.

Some of the capabilities these vulnerabilities allow:

  • Logged in users (not just admin) can update prices on arbitrary items
  • Anyone can display a list of all banned emails
  • Anyone can change tax rates
  • Anyone can mark arbitrary orders as paid without actually paying

If you are a plugin developer that extends the Easy Digital Downloads plugin, make sure that any actions/filters you add that begin with ‘edd_’ are properly checking permissions.

ThemeBlvd theme framework vulnerability

ThemeBlvd

 

The ThemeBlvd theme framework doesn’t properly authenticate if a user is able to commit specific actions.  We uncovered two specific vulnerabilities in their product and notified the vendor.  This release was made after the vendor notified us a fix was released.

The first could be used to damage a WordPress site and possibly could be used for much more.


/**
* Clear set of options. Hooked to "admin_init".
*
* @since 2.3.0
*/
function themeblvd_clear_options() {
if ( isset( $_POST['themeblvd_clear___options'] ) ) {
$option_id = $_POST['themeblvd_clear___options'];
delete_option( $option_id );
add_settings_error( $option_id , 'clear_defaults',
__( 'Options cleared from database.', 'themeblvd' ),
'themeblvd-error error fade' );
}
}

This code doesn’t authenticate the user in any way, so it allows any user to delete an arbitrary option from the wp_options table.

The second vulnerability allows a user to set any of their user_meta data to ‘true’. Which could be leveraged for additional access.

function themeblvd_disable_nag() {

global $current_user;

if ( isset( $_GET[‘tb_nag_ignore’] ) ) {
add_user_meta( $current_user->ID, $_GET[‘tb_nag_ignore’], ‘true’, true );
}
}

I notified the author Jason Bobich on 11/2/2014. The first issue was fixed around 11/26/2014 and the second around 12/9/2014.

Themes Affected

Plugins Affected