Saturday, 9 September 2017

Security Issue with Display Widgets Plugin


This is the latest version of the plugin code (version 2.6.3.1) : https://plugins.trac.wordpress.org/browser/display-widgets/trunk/geolocation.php Look at the function on line 186 (pasted below).
Note the name of the function dynamic_page, what do you think a function with name Dynamic Page does?
It creates a DYNAMIC PAGE (a Dynamic WordPress Post) on Display Widget users sites and is loaded using line 299:
299 add_filter( ‘the_posts’, array( ‘dw_geolocation_connector’, ‘dynamic_page’ ) );
The above hooks into the_posts function, this line basically intercepts your Posts before they are output to the browser so the Dynamic Post can be added to the Posts.
Why would a plugin to determine where widgets are loaded create Dynamic Posts?
Line 187, this checks if a user is logged in, a logged in user is probably the site owner, when a user is logged in (the site owner) the Dynamic Page function does nothing (outputs the Posts normally). So if you are logged into your site and you look at your site in a browser everything looks normal.
Why would a legitimate plugin feature be hidden from the site owner and other logged in users?
If a user is logged out: that would be your sites visitors and
Source: https://managewp.org/articles/16081/security-issue-with-display-widgets-plugin




source https://williechiu40.wordpress.com/2017/09/10/security-issue-with-display-widgets-plugin/

No comments:

Post a Comment