Security alert: WordPress Competition Winning Plugins Vulnerable

Update: My sincere apologies to all the plugin developers. I usually try to keep track of WordPress security. and buyacrop has been very good at finding exploits and providing patches. In my hurry to warn users I forgot to check if patches were available or if the developers were informed. I think its pretty irresponsible on buyacrop part.

The winners of the WordPress Plugin Competition has been announced. congratulation to all the winners. I am really sorry to spoil the party but I am doing this to inform readers, I would really hate it if someone hacked your site. Unfortunately all the Plugins are vulnerable to security flaws. They are listed here in order of danger.

1. WordPress Automatic Upgrade: It allows any non authenticated user to.
* To generate and to unload the archives of WordPress (including wp-config.php with your data of data base).
* To generate and to unload backups of your data base with which this represents.
* To activate and To deactivate all plugins.
* To update the version of WordPress without your authorization.
2. OneClick: Is vulnerable CSRF (Cross-site request forgery) it allows you to unload plugins – or malicious code – from any URL.
3. Who Sees Ads: Is vulnerable to CSRF and XSS (Cross-site scripting).
4. MyDashboard: Is vulnerable to CSRF and XSS.

Please deactivate these plugins immediately till the authors update the plug-in. A mail has been sent to each of these authors so expect them to patch them quickly.

Thank you carrero for tipping me off.

Original source. buayacorp

12 Responses

thanks for your fast reply, I write to buayacorp because i need more details for this bugs, i want fix for use :)

@david I am having second thoughts about publishing this, since it is all in Spanish I assumed a mail was sent to the developers of the plugins … I just saw OZH comment on buayacrop and I agree this is kind of very irresponsible. I think he is doing a good job but this is kinda scary way to do this.

No emails have been sent, and no details of exploits are available other than generic titles I’m afraid.

I write alex from buayacorp. I request more information about this bugs for plugin authors.

@David – Why can’t you let us know the details. You obviously know what they are otherwise you wouldn’t be running around posting that there are vulnerabilities everywhere?
If you haven’t seen them, or know about them, then do you really think you are helping?

The 2 plugins flagged as vulnerable to XSS&CSRF are, I think, just lacking nonce fields in their forms. Which does make them vulnerable to some XSS & CSRF attacks. Which is, IMO, nothing near a critical vulnerability. There’s no reason not to implement nonces, really, and adding this WP built-in protection in all my plugins has been sitting on my todo-list for quite a while now. I’ve just been too lazy, but there’s no reason why this should go on top of my todo list.

So, unless the smart ass behind this original announcement replies with some details and proves me wrong with more serious issues, I’ll keep this on my todo-list and update some day, for instance when I add features.

The said bugs have been fixed and i have released the latest version


Has an email been sent to the author of OneClick with this info? I don’t see an update yet nor an acknowledgment of a comment about this left by David in Spanish of all things. Either way, since I’ve worked with Anirudh on a couple of bugs early on, I’m sending one myself.

There’s no real proof that it can be done and virtually every script is vunerable to csrf and XSS, anyways, this minor problem is fixed. Please read this:


How much damage can be done on a vulnerable plugin? It seems it can be a doorway to attacks?

Personally, I think I would have a few people check my plugin before I went submitting it as a finished product. Then again, I can’t make them so nevermind. :P

Congrats to the winner, but it’s kinda lame that he was the way he was about the hosting prize.

Mistakes happen? :)