DEFENDER: Ad Widget - Vulnerablility

Hi WPMUDEV Security Team
Defender shows WP Ad widget Vulnerability

Ad widget
Version: 2.2
WordPress Ad Widget <= 2.11.0 - Authenticated Local File Inclusion (LFI)
Vulnerability type: LFI
This bug has been fixed in version: 2.12.0

We downloaded all plugins of that site today from wpmudev! Why is that vulnerability showing up? Are the plugins on wpmudev outdated or vulnerable?

Please explain

Thanks
Andi

  • Nastia

    Hello Andi

    Hope you 're doing well!

    Looks like the Defender "confusing" the Ad Widget plugin with the WordPress Ad Widget plugin from wordpress.org:
    https://wordpress.org/plugins/ad-widget/

    The higher version of the Ad Widget plugin is 2.2 and the WordPress Ad Widget plugin is 2.15.

    I will flag our developers in here so they could provide some feedback.

    Thank you for letting us know about this issue.

    Kind regards,
    Nastia

  • Andi

    Dimitris

    Sorry but that I won't allow as an excuse in that case!
    I reported that problem 1 month ago and absolute nothing happened.

    A professional would simply have a look at the plugins - both - the
    https://wordpress.org/plugins/ad-widget/
    and the
    https://premium.wpmudev.org/project/ad-widget/

    With one single view, he will see how to solve the problem!

    While the WordPress-ad-widget contains several folders and files

    the one of WPMUDEV contains only one file (more or less)

    Next a professional would have a look too the code of the wpmudev plugin and compare the head with the one of the conflicting plugin.

    It is pretty much the same but when changing the name it won't solve the problem so look further.

    In a next step he would have a look where actually an absolute or relative path to the path gets mentioned inside that plugin with the folder name. -> nowhere.

    So the solution will be pretty simply by making that plugin wpmudev conform and renaming the folder from ad-widget to wpmudev-ad-widget

    now run Defender again and the problem is solved!

    It took 5 minutes and not one month but it perhaps will take another year until that change will be applied to the plugin itself right? Come on! Please let us help!

    In General, I would suggest to RENAME all wpmudev plugins to a constant naming scheme which you actually have already, but you are not using it constantly. With that general and very easy to accomplish folder naming change you could solve also many other problems and avoid conflicts with wordpress and other plugins.

    Let's hope that is changed in an update tomorrow - I hope you agree! :wink:

    By the way WPMUDEV can demonstrate by doing that update that it maintains the plugin at least all 6 years - have a look too the changelog

    Plugin Name: Ad widget lite
    Author: Barry Getty

    Change Log:
    ----------------------------------------------------------------------
    2.1 - 11/01/2011
    ----------------------------------------------------------------------
    - Update for WP 3.1

    1.0 - 03/06/2010
    ----------------------------------------------------------------------
    - Converted to new Widget API layout
    - Added extra options for selection

    ----------------------------------------------------------------------
    0.2
    ----------------------------------------------------------------------
    - Initial Release

    Wouldn't that be much better than confusing defender with a plugin which is vulnerable and which not even comes from WPMUDEV . If you can't find the developer to rename the plugin folder I will do it for you!

    Kind regards
    Andi

  • Oguz

    Hey Andi ,

    Hope you're well.

    Sorry for the lateness of this issue. But we are trying to solve it from Defender side with a solid solution. And also because of this bug is not affect the any of the website functionality, our developers sometimes need to handle more urgent bugs, so the solution can come longer than expected.

    Even if we change the plugin directory name still Defender can show the same problem for two different 3rd party plugin. So solving this from Defender side (if its possible) looks more accurate.

    When we have more information about the solution we will update this thread.

    Cheers,
    Oguz

  • Andi

    You better change also the plugin name as it would look better in the backend

    This gets done by changing the plugin name in the adwidget-lite.php file

    I would also change the author name to WPMU DEV to keep the CI and list Barry as a contributor.

    Sites who are using that plugin only need to reactivate the plugin with its new name as only the path has changed.

    Besides that I would suggest to add a minimum PHP requirement to the plugin of PHP 7 to simply softly force people to update their Wordpress sites.

    Kind regards
    Andi

  • Andi

    No problem we will run a separate version and will enhance it with the goal of having 7.Tim compatibility only

    As I can't upload the files here I have at least the new readme file available here
    wpmudev-ad-widget-readme.txt

    It conforms with the WordPress Guidelines in place since 2009 and the ad-widget is working without any problems after renaming the folder to a conform naming Scheme used already by WPMUDEV, which won't cause problems in future with other plugins.

    Kind regards
    Andi

    SOLUTION: Renaming the folder name and adjusting the php file as well (option) add a readme.txt file or downloading the new zip (unfortunately can't upload it here as uploading zips is not possible)

    If some more members would help to create WP Conform readme.txt files, that job could be finished in more or less no time. WPMUDEV has 600.000 members and only 31x4 = 124 Plugins so it could be done in more or less even less than one day if only 0.1% members would help with each one plugin. (and then even 6 people could work together :wink:

    I create the readme.txt files with https://generatewp.com as here you can save the readme.txt file so it can be shared here on the forum. It would be nice if some more could help with the stuff they are using already.

    I use the following scheme:

    plugin name: start with "wpmudev-plugin-name" - hyphen no underscore and wpmudev written together

    as Contributor I fill in "WPMU DEV", at first place and add the author of the plugin like it is written in changelog.

    as minimum version I take "4.9" as WP can now update automatically from with Wordpress easily so there is no need anymore to hire a developer to do that. Everyone can click a button :wink: At least I hope so.

    As tested version the same version as we simply don't run anymore lower versions of WP :wink:
    As Stable Tag we fill in 7.2.0.0 to reflect all future versions start running with minimum requirement on PHP 7.2.

    an example of wpmudev-e-newsletter:

    = 7.2.0.0 =
    *Release Date - 23 December 2017*

    * Fixed the security issue shown when checking the plugin by changing the folder name to wpmudev-e-newsletter
    * Fixed the Contributors tag to keep a WPMUDEV CI
    * Fixed the Title Tag to keep the WPMUDEV CI and that all WPMUDEV plugins get listed together in a visible block
    * Created a readme.txt file and integrated it - moved the changelog.txt to readme.txt
    * changed the Version number to reflect that start with this version we focus only on PHP7.2+ improvements. Members who use older PHP versions are asked to download the last version before that one which is Version 2.7.4.3. Thanks for understanding!

    People who like to run lower PHP versions can still download the old named version which we won't update for our customers as we also like to have a wpmudev- block in our Plugin manager which holds actually afterwards all wpmudev plugins to show more strength to our customers and to promote wpmudev (and actually the fact that we have to raise money for a membership there, much better).

    All other plugins like DIVI will be treated similar (they have only 4 plugins ;-() - right now we only use Divi-Builder and as themes DIVI and Extra anyway

    The rest of wordpress plugins in the main repository where we won't change the names.

    This gives the plugin and theme section a clear structure. All upfront stuff we will add the "uf-" if they don't have it already, the same all DIVI theme stuff will later be "divi-something" (as a divi Childtheme)

    The changelog from the changelog file we copy paste over into the redmme file and for installation we add.

    Upload the plugin to your blog,
    Activate it
    1, 2, 3: You're done!

    as that is this usual way anyway.

    In the description field we enter:
    Copyright 2009-2013 Incsub (http://incsub.com), so that it appears at the correct place. We don't change the dates as we only copy the info over from changelog.txt so don't wonder about something like 2013 it only means that since then nobody did change anything here anymore.

    To make the 7.2 compatibility more clearer to our customers we created 2 blocks.

    --------------------------------------------------------------------
    Minimum Requirement PHP 7.2 or greater
    WordPress 4.9.1
    --------------------------------------------------------------------
    VVVVVVVVVVVVVVVVVVVVVVVVVVVVV

    followed by what I already posted above as example and

    --------------------------------------------------------------
    Last Version maintained for PHP < 7.2
    --------------------------------------------------------------
    VVVVVVVVVVVVVVVVVVVVVVVVVVV

    below we copypaste the old changelog

    Concerning Licenses we enter the follwoing info
    License: GPLv2 or later
    License URI: http://premium.wpmudev.org/project/e-newsletter

    This directs people directly to the plugin site where the info about the plugin gets listed
    and as donate link we until now enter http://premium.wpmudev.org, perhaps later than changed to our own if we work more intensively on a plugin ourselves but first of all we like to create a good valuable base to make further inprovements first :wink:

    Kind regards
    Andi

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.