[wp-hackers] Possible vulnerability with the plugin system

Fri Nov 30 18:34:03 GMT 2007

This could probably be described as more of an advisory to plugin
authors to check the security of their plugins, rather than an actual
vulnerability, but let's see what people think. Feedback appreciated.

It seems that any file contained anywhere within the
`wp-content/plugins/` directory can be included (that's include()-ed)
into the wp-admin screen — with full access to all the WordPress
functions — just by passing it as the `page` parameter in the wp-admin
URL.

A little background:

A plugin can create it's own admin page with the add_submenu_page()
function [1] (or one of the wrapper functions). The `file` parameter
can accept the path to a PHP file within the `wp-content/plugins/`
directory which will allow the plugin's admin page to be accessed from
a URL such as www.example.com/wp-admin/options.php?page=myplugin/myplugin.php
. If the `function` parameter of add_submenu_page() isn't specified,
the file is simply included [2] after the admin menu.

The problem here is that any file within the `wp-content/plugins/`
directory can be included with this method, irrespective of any
plugin's activation status. So let's say a plugin is made up of
several files for organisational purposes, and the plugin includes one
of these files inside a function:

function delete_something() {
include( 'delete_something.php' );
}

...and inside delete_something.php we have something like:

<?php
delete_option( 'myplugin-option' );
?>

Obviously this is an overly simplified example but you get the idea.
The point is that the contents of delete_something.php can be anything
and it'll successfully be executed right inside WordPress by visiting
www.example.com/wp-admin/options.php?page=myplugin/delete_something.php
whereas the author's intended behaviour is that this file is only
included inside the delete_something() function in the main plugin
file.

Note that if the file is called directly with
www.example.com/wp-content/plugins/myplugin/delete_something.php ,
nothing too bad can happen because any built-in WordPress functions
aren't available. Plus you can put something like:

if ( basename(__FILE__) == basename( $_SERVER['SCRIPT_FILENAME'] ) )
die( 'Please do not load this page directly. Thanks!' );

at the top of the file to protect against direct file access.

So what to do? When writing a plugin, if you use additional files for
organisational purposes, make sure that if any files are called using
this method, that it doesn't do anything unexpected.

Does this class as a vulnerability? Someone with a bit more
imagination than myself might be able to think of an XSS scenario if a
popular plugin is found to be adversly affected by this.

Excuse the longwindedness of this post but I do tend to ramble on :-)

[1] http://codex.wordpress.org/Adding_Administration_Menus#Sub-Menus
[2] see line #63 of wp-admin/admin.php