Industrious French security researcher Robert Baptiste, aka “Elliot Alderson” says he has discovered security flaws in three different WordPress plugins for enterprise collaboration platform Slack.
If abused, attackers could gain access to the Slack API and pull information off a team’s Slack channels, create or archive channels, invite users, and even if they felt inclined, make posts themselves.
WordPress Plugins are widely regarded to be one of the single greatest security threats to WordPress users. For all three plugins, once integrated, the Slack Access Token became easily accessible in a website’s source code, giving an attacker access to that user’s Slack channel and everything on it.
1/ THREAD: I'm stuck in my current task and it's raining outside. I need to kill some time so I'll publish 3 0days in this thread pic.twitter.com/qWw4EEMC97
The plugins affected are WP Intercom – Slack for WordPress; an “old version” of the WP SlackSync WordPress plugin and the SlackChat plugin. (After attempting to do the right thing – responsible disclosure – and contact the plugin creators about the issue, just the WP SlackSync Plugin creator responded and issued a patch, Baptiste said.
As he notes, “beware WordPress plugins”. (With WordPress powering over 30 percent of the world’s websites, it’s a warning to take to heart.)
WordPress itself last month rolled out a host of new security updates as part of its 5.2 update, including improvements to its own security infrastructure. Starting with WordPress 5.2, user’s website will remain secure even if the wordpress.org servers get hacked, WordPress said. (A not insignificant risk…)
“We are now cryptographically signing WordPress updates with a key that is held offline, and your website will verify these signatures before applying updates” WordPress said. Scott Arciszewski, Chief Development Officer at Paragon Initiative Enterprises, a developer heavily involved in securing the WordPress update system, meanwhile recently published a security guide for WordPress plugin developers.