Support » Plugin: Events Shortcodes & Templates Addon For The Events Calendar » Security Problem: Plugin is calling PHP file(s) directly

  • Resolved KZeni

    (@kzeni)


    – The Problem –
    It appears iframe-font-preview.php is being called directly & that’s problematic when WordPress hosting/sites are properly hardened to prevent that potentially harmful attack vector.

    It’s a WordPress theme & plugin guideline to not call PHP files directly as this can be a serious security issue. Instead, the files should be included and then have their functions/hooks/etc. called via the WordPress system (which then has better control & view into what’s being done for security purposes & code interoperability as well as certifying that the code being ran wasn’t just some random file that was uploaded & is really part of the plugin/system.)

    As such, there are actually WordPress hosting providers, plugins (Sucuri being one of many), and configurations that specifically disable the ability of a PHP file located in a theme or plugin from being called directly. This importantly makes it so a malicious PHP file that might somehow be uploaded to the site can’t then just be executed by visiting that file (per it then being blocked). This then, unfortunately, blocks parts of plugins/themes that don’t follow the guideline & just have PHP file(s) being called directly (when that’s totally avoidable as mentioned above.)

    – Potential Fix –
    In the case of iframe-font-preview.php, I see no reason it can’t just load the parent page URL with a GET variable appended to it (with all of the others it needs for displaying the specific preview) to be noticed by a hook/function that then has it output what that direct PHP file call would show.

    There might be cases outside of iframe-font-preview.php, but that one is for sure actively problematic, at the moment.

    Again, this is an important security precaution where this direct PHP file being called should be redone. Also, this plugin’s actively breaking on assorted hosting/setups where they have things hardened against this potential attack vector as a whole.

    https://wordpress.org/support/article/hardening-wordpress/#code-execution-plugins specifically calls out this guideline and details officially recommended way (have it display a page like any other and adapt it as needed for what’s being shown [assuming it isn’t otherwise an admin-ajax.php related function instead of a page-style output]) to avoid this problem.

Viewing 1 replies (of 1 total)
  • Plugin Support Jyoti Bhandari

    (@jyoti197)

    Hi @kzeni,

    Thank you for your findings. We are glad you help us to figure out such a major security bug.
    The file is actually calling inside a frame and all the get requests are happening inside the iframe with direct URL access.
    Due to this direct file request, the font preview was actually not working through the parent page URL. We have managed to prevent direct access to the file.
    We understand there are many other weak points in the Titan Framework (the issue belongs to it) and we are already looking to switch to a more stable and secure framework in the coming future.
    we have fixed this bug please update your installed plugin to the latest version 1.6.1.

    Thanks & Regards

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.