Last week a blind SQL injection vulnerability was discovered in Yoast’s popular WordPress SEO plugin. Given the severity of the vulnerability and the fact that the plugin is installed on more than one million WordPress sites, the security team at WordPress.org pushed a forced update to mitigate the possibility of mass exploitation.
Following this incident, the Pods framework team proactively performed a security review of their plugin and found an issue similar to the one discovered and disclosed last week in the WordPress SEO plugin. Contributor Josh Pollock describes the issue in the release announcement:
We believe this is an especially severe issue as this issue occurred in the PodsUI class, which is not only used for the Pods admin, but is also employed by many end-users to create front-end and back-end content management interfaces for non-admin users.
The issue occurred in approximately Line 859 of the PodsUI class. The orderby parameter, which is passed from the browser in a GET variable was subsequently used in an SQL query without being properly sanitized.
As a result malicious or other unintended SQL queries could be sent to the database by manipulating the GET request.
Pods 2.5.1.2, released today, is a security update that patches this vulnerability. If you require an earlier version of the plugin, patched versions of older versions are available the releases page. All users are advised to update immediately.
The Pods framework is used for creating, managing, and deploying customized content types and fields. It’s active on more than 30,000 WordPress installations. Contributors on the project credit Yoast’s transparency on the recent security issue as having inspired their team to proactively examine Pods.
“Reading the details of their issue led us to search for similar security issues in Pods,” Pollock said. “We applaud their responsible disclosure to the community. Publishing the details helps other developers work to improve security in their own codebase.”
More Security Updates on the Way for Popular WordPress Plugins
All relatively complex plugins will have security issues pop up from time to time that will require immediate patching. Fortunately, the plugin authors in these scenarios have been quick to respond.
This particular vulnerability is not limited to Pods and the WordPress SEO plugin by Yoast. Pollock advises that WordPress users should be on the lookout for more security updates to follow for other popular plugins.
“Our team has done a search in several other plugins for similar issues and has reported our findings to their authors,” he said. “At this time we can not share specifics about theses issues, but will as soon as it is responsible to do so.”
There were also vulnerabilities discovered in WPML last week, which were patched. But unlike Pods and Yoast, the full details of the vulnerabilities have not been disclosed. This is not ideal.
http://wpml.org/2015/03/wpml-security-update-bug-and-fix/