Code Injection

  • Resolved amadigan

    (@amadigan)


    1 year, 11 months ago

    We discovered the following code injection security vulnerability in the Prime Mover plugin. We are running WP 6.0.3 and PHP 8. Can you please respond to let us know whether you agree it is an issue, and if so when it will be addressed? If you do not consider it an issue, we would appreciate an explanation of why. Thank you.

    Locations:
    Lines 194 and 421 of
    …/class-fs-plugin-updater.php

    Description:
    The software allows untrusted input to be fed directly into a function (e.g. “eval”) that dynamically evaluates and executes the input as code, usually in the same interpreted language that the product uses.

    Recommendations:
    Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Codexonics

    (@codexonics)

    Hi,

    Thanks for creating the ticket. The code you mentioned is from Freemius SDK library that is used by several WordPress plugins including Prime Mover. I’m now coordinating with Freemius team regarding this issue so they can provide their official feedback on this code.

    Please always update to the latest Prime Mover version (currently at version 1.7.1) since it uses the latest Freemius SDK 2.5.2. The latest version does not have known vulnerabilities so far reported from their end.

    Freemius team might also contact you for additional details and will give an official feedback on this issue later on.

    Cheers!

    • This reply was modified 1 year, 11 months ago by Codexonics. Reason: simplify reply
    Plugin Author Codexonics

    (@codexonics)

    Hello,
    OK we have update. This is the Freemius team reply:

    Thanks for reaching out. I checked lines 194 and 421 but I didn’t see anything that dynamically evaluates and executes an input as code. I recommend asking them to send you the /class-fs-plugin-updater.php file that they have on their site so that we can check the exact lines that they’re reporting.

    Can you please zip /class-fs-plugin-updater.php that returns the injection error (that is on your site) and then please send us the link to download this via our official contact page.

    Freemius team will double check this file. Thank you!

    Plugin Author Codexonics

    (@codexonics)

    There is a new update today of Prime Mover (version 1.7.2) that also upgrades the Freemius SDK library to the very latest versions. It is always recommended to use the latest release. I’m closing this ticket as its now outdated. If you have something new to add, please re-create another ticket. Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Code Injection’ is closed to new replies.