Instantly share code, notes, and snippets.

Embed
What would you like to do?
The email I sent to the WordPress plugin review team.
Hi there!
The plugin URI: https://wordpress.org/plugins/accelerated-mobile-pages/
As I was trying to incorporate compatibility for the plugin, I found several actionable hooks that allow users to do any of the following:
a) Users can download/read any file.
b) Users can upload files.
c) Users can exploit wp_remote_*() with self-set URLs.
d) Users can update the plugin’s settings.
e) Users can update post meta.
f) Users can download the complete Media library by supplying a random array of IDs.
g) Users can inject Posts.
All this can be done with merely a WordPress subscriber/visitor/commenter account.
Unfortunately, I don’t have the time to forge examples. Please look at these hooks to evaluate my assessments:
1. wp_ajax_ampforwp_get_licence_activate_update
2. wp_ajax_ampforwp_deactivate_license
3. wp_ajax_ampforwp_save_installer
4. wp_ajax_amppb_export_layout_data
5. wp_ajax_amppb_save_layout_data
6. wp_ajax_ampforwp_get_image
These hooks lack nonce and current_user_can() verifications, and wp_ajax_* actions only require the user to be logged in.
Other issues I’ve found are:
1. In the past I found that editors could potentially XSS the site. I fixed that for them, but they’ve since reverted it to add more features. There’s a consistent lack of escaping output, although WordPress prevents most of this being exploited via the unfiltered_html capability, I still believe this should be investigated.
2. The ../templates/instant-articles/instant-article-sanitizer.php file contains various simple, nonprefixed functions.
3. The ../pagebuilder/amp-page-builder.php file contains a useless non-limiting definition check on line 2. This is nitpicking, as it’ll only generate PHP errors starting at line 7. But it creates a false sense of direct-calling security.
4. You’ll also find a carbon-copy of the https://wordpress.org/plugins/amp/ plugin at version 0.4.2 in ../includes/vendor/amp.
5. In ../includes/modules-upgrade.php you’ll find non-standard functionality that downloads and installs plugins. Albeit only downloading from the WordPress.org repository, this will break a non-standard WP site easily, i.e. when WP_CONTENT_DIR is altered.
I couldn’t find the time to do more scrutinizing, but I think fixing these issues are a great step in the right direction.
I admire the authors for adding so many features in such a short time, but I think they should evaluate the security and integrity while doing so.
Kind regards,
Sybre Waaijer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment