WordPress security: CookieYes GDPR plugin patches XSS bug following large-scale PHP audit


Researchers claim five plugins use function insecurely – but some maintainers disagree

UPDATED A hugely popular GDPR compliance plugin for WordPress contained an authenticated, persistent cross-site scripting (XSS) vulnerability related to the insecure use of PHP’s function, according to security researchers.

As a result, the CookieYes GDPR Cookie Consent & Compliance Notice plugin, which has more than one million active installations, no longer uses the function in the shortcodes module, as per a software update released today (September 29).

In a blog post published on September 24, Plugin Vulnerabilities, a WordPress security service, said it tested the 100 most popular plugins in the WordPress Plugin Directory for similar issues and identified five in total that used the function insecurely.


The function imports variables into the local symbol table from an array, converting array keys into variable names, and array values into variable values.

The researchers claim the five plugins’ use “the function on user input in the form of shortcode attributes”, thereby contravening PHP documentation, which warns developers not to “use on untrusted data, like user input (e.g. , )”, as well as WordPress coding standards, which advise against using the function at all.

They first started investigating after the function surfaced in a July blog post in which a Jetpack security researcher analyzed a local file inclusion vulnerability in WooCommerce Currency Switcher.

Plugin security audit

In a subsequent blog post, published on September 16, Plugin Vulnerabilities then claimed that Jetpack itself, the most popular WordPress security plugin with more than five million installs, also used insecurely.

Steve Seear, Jetpack product engineering lead, told The Daily Swig: “We haven’t been able to identify any exploitable issues relating to the use of the function in the Jetpack plugin. However, we have reevaluated the use of and have decided to remove all calls to that function in the next release of Jetpack.”

INTERVIEW Patchstack’s Oliver Sild on securing WordPress, one plugin vulnerability at a time

The researchers have since disclosed that the issue was also present in the Advanced Custom Fields plugin, which has more than two million installs, and WordPress slider plugin MetaSlider, which is used by 700,000 websites.

The maintainers of Advanced Custom Fields told The Daily Swig: “We’ve confirmed our use of extract is limited to places where user input cannot cause any security issues. That said, we are still planning to remove the few instances of extract left in ACF’s codebase in an upcoming release.”

The maintainers of MetaSlider have yet to reply to our queries, but we will update this article if and when they respond.

OceanWP refutes claims

The XSS flaw in CookieYes GDPR relates to a lack of validation or sanitization on user input, said Plugin Vulnerabilities.

In yet another blog post, published on Monday (September 28), Plugin Vulnerabilities claimed to have found effectively the same bug in Ocean Extra, a companion to the OceanWP theme with more than 700,000 installs.

However, a developer and customer support manager for OceanWP has refuted claims Ocean Extra misuses .

Catch up on the latest WordPress security news

“The extract method has been used in accordance with its purpose – to assign each array key a variable role, to put it in layman’s terms,” he told The Daily Swig.

He also points out that Ocean Extra has not been red-flagged by iThemes’ weekly rundown of WordPress vulnerabilities because “they involve a human factor before making any reports”, and that OceanWP’s use of can reveal whether Plugin Vulnerabilities’ claims have any merit.

He said OceanWP has not been contacted directed by Plugin Vulnerabilities over the issue.

Plugin Vulnerabilities’ latest blog post includes a screenshot of a post they submitted to the WordPress Support Forum notifying Ocean Extra maintainers of the supposed vulnerability post-disclosure.

However, the Ocean Extra developer responded, saying: “The post from the screenshot does not exist, which means it was not approved by the moderators and everyone should ask themselves why. We don’t have the option to ban/remove/approve anyone’s post.”

Researchers from Plugin Vulnerabilities have long maintained a stance of disclosing vulnerabilities in plugins listed in the WordPress Plugin Directory before alerting developers (via the WordPress Support Forum) in “protest” at forum moderators’ “inappropriate behavior”.

This article was updated on September 29 with a response from the Jetpack security team, and additional comments from OceanWP

RELATED WordPress security: Information leak flaw addressed in Ninja Forms

Source link

You might also like
Leave A Reply

Your email address will not be published.