Researchers claim five plugins use extract() function insecurely – but some maintainers disagree


UPDATED A hugely popular GDPR compliance plugin for WordPress contained an authenticated, persistent cross-site scripting (XSS) vulnerability related to the insecure use of PHP’s extract() function, according to security researchers.

As a result, the CookieYes GDPR Cookie Consent & Compliance Notice plugin, which has more than one million active installations, no longer uses the extract() function in the shortcodes module, as per a software update released today (September 29).

In a blog post published on September 24, Plugin Vulnerabilities, a WordPress security service, said it tested the 100 most popular plugins in the WordPress Plugin Directory for similar issues and identified five in total that used the extract() function insecurely.

extract() guidance

The extract() function imports variables into the local symbol table from an array, converting array keys into variable names, and array values into variable values.

The researchers claim the five plugins’ use “the function on user input in the form of shortcode attributes”, thereby contravening PHP documentation, which warns developers not to “use extract() on untrusted data, like user input (e.g. $_GET, $_FILES)”, as well as WordPress coding standards, which advise against using the function at all.

They first started investigating extract() after the function surfaced in a July blog post in which a Jetpack security researcher analyzed a local file inclusion vulnerability in WooCommerce Currency Switcher.

Plugin security audit

In a subsequent blog post, published on September 16, Plugin Vulnerabilities then claimed that Jetpack itself, the most popular WordPress security plugin with more than five million installs, also used extract() insecurely.

Steve Seear, Jetpack product engineering lead, told The Daily Swig: “We haven’t been able to identify any exploitable issues relating to the use of the extract() function in the Jetpack plugin. However, we have reevaluated the use of extract() and have decided to remove all calls to that function in the next release of Jetpack.”

INTERVIEW Patchstack’s Oliver Sild on securing WordPress, one plugin vulnerability at a time

The researchers have since disclosed that the issue was also present in the Advanced Custom Fields plugin, which has more than two million installs, and WordPress slider plugin MetaSlider, which is used by 700,000 websites.

The maintainers of Advanced Custom Fields told The Daily Swig: “We’ve confirmed our use of extract is limited to places where user input cannot cause any security issues. That said, we are still planning to remove the few instances of extract left in ACF’s codebase in an upcoming release.”

The maintainers of MetaSlider have yet to reply to our queries, but we will update this article if and when they respond.

OceanWP refutes claims

The XSS flaw in CookieYes GDPR relates to a lack of validation or sanitization on user input, said Plugin Vulnerabilities.

In yet another blog post, published on Monday (September 28), Plugin Vulnerabilities claimed to have found effectively the same bug in Ocean Extra, a companion to the OceanWP theme with more than 700,000 installs.

However, a developer and customer support manager for OceanWP has refuted claims Ocean Extra misuses extract().

Catch up on the latest WordPress security news

“The extract method has been used in accordance with its purpose – to assign each array key a variable role, to put it in layman’s terms,” he told The Daily Swig.

He also points out that Ocean Extra has not been red-flagged by iThemes’ weekly rundown of WordPress vulnerabilities because “they involve a human factor before making any reports”, and that OceanWP’s use of get_trail() can reveal whether Plugin Vulnerabilities’ claims have any merit.

Proof of concept

Plugin Vulnerabilities responded that they also manually check their automated findings and pointed to a proof-of-concept in the blog post. “We just double checked the proof of concept and confirmed again that it works,” they added.

However, the OceanWP developer claims the proof of concept only shows that “any website owner or admin can edit any theme/plugin file, or even the WordPress files, and insert any codes they want”.

Nevertheless, he said the extract() function had now been removed from all shortcodes in the latest release to eliminate “the opportunity for anyone to further misuse and misrepresent the info and the codes by spreading false info”.

The OceanWP developer said they had not been contacted directed by Plugin Vulnerabilities over the issue.

Plugin Vulnerabilities’ latest blog post includes a screenshot of a post they submitted to the WordPress Support Forum notifying Ocean Extra maintainers of the supposed vulnerability post-disclosure.

However, the Ocean Extra developer responded, saying: “The post from the screenshot does not exist, which means it was not approved by the moderators and everyone should ask themselves why. We don't have the option to ban/remove/approve anyone's post.”

Researchers from Plugin Vulnerabilities have long maintained a stance of disclosing vulnerabilities in plugins listed in the WordPress Plugin Directory before alerting developers (via the WordPress Support Forum) in “protest” at forum moderators’ “inappropriate behavior”.

This article was updated on September 29 with a response from the Jetpack security team, and additional comments from OceanWP, then on September 30 with comments from Plugin Vulnerabilities, and October 12 with further comments from OceanWP.

RELATED WordPress security: Information leak flaw addressed in Ninja Forms