WordFence Alerts Critical for Vulenrability

Thanks Tobias. I’ve asked WordPress why this has been flagged only now, when it’s 3 years old. I’ve been using Tablepress for some years, and it’s the first I’ve heard of it. Either it’s an erroneous warning, or they’ve missed it for 3 years.

Thank you, @tobiasbg !

@tobiasbg I’ve got a paid subscription with them so when I saw your post this morning asking for help getting them to review it, I sent in a support request.

This is the response I got from Wordfence at about the same time you posted they had contacted you:

Thanks for reaching out to us.  The Tablepress plugin does have an active risk of a CSV Injection.  All versions are vulnerable including 1.14. Our team has already reached out to the developer and provided them with the details.   The vulnerability is not critical as it has a lower chance of being exploited but it is still a valid security issue.  It's Wordfence's job to alert our users to these vulnerabilities.  We don't try to guess if they might be compromise as a result of the vulnerabilities or not.  

As I mentioned, we have already contacted the plugin author and have informed them of the details.  As this has a smaller risk of being exploited you can use your own judgment about continuing it's use.  However, we generally recommend any plugin with an unpatched active vulnerability be replaced or removed.

I read your explanation and it makes sense. I hope they realize that also. It’s a FANTASTIC plug in. Seems to me the only way to satisfy them is to not allow the plugin to export a csv file? Which would be dumb.

Just as back then, in 2019, I deem this report to be invalid.

@tobiasbg Could you post a sticky about this here in your plugin’s support forum? When Many, many, many, MANY people pile onto a topic it gives the moderators a rash.

If anyone needs support then per the forum guidelines please start your own topic.

https://www.ads-software.com/support/forum-user-guide/faq/#i-have-the-same-problem-can-i-just-reply-to-someone-elses-post-with-me-too

You can do so here.
https://www.ads-software.com/support/plugin/tablepress/

Hi,

will gladly do that with an aftermath once I have collected some final information!

Best wishes,
Tobias

Thanks so much for your quick responses Tobias!

I also received this critical error warning from Wordfence scan.
thanks for the response.

Hi,

another update: I have contacted the organization that manages the global database of reported software security vulnerabilities (on which Wordfence bases their notification). I have explained to them why I strongly feel that this report is invalid and not a security issue in TablePress.

Best wishes,
Tobias

That’s great Tobias. I was about to recommend you did that as talking with Wordfence it became obvious that they will flag anything that appears in that database so it’s them you need to deal with.

BTW, apart from the principle of it, is there anything you could change to “fix” the issue, which sounds like it would be the easiest solution? Or are you saying that any plugin doing the same job would have the same issue because of the way WordPress works?

Hi,

I could “fix” this by removing all math formulas from the table when someone exports a table to the CSV format (which essentially is just a normal text file with a special structure). While this would not cause issues for users that don’t use math formulas in TablePress, it could cause nightmares for users that do (and there are many users that do use formulas!) — given that the CSV format is a very good human-readable backup and interchange file format for table data.

Instead, users should just not simply purposefully ignore the security warning that Excel shows when someone wants to open a CSV file that contains potentially dangerous formulas. (This is exactly what’s being done in the proof of concept video of the CVE report!). Excel will not show such a warning (as it’s not needed) if a CSV file without formulas or with clearly safe formulas (i.e. simple math formulas) is being opened.

Regards,
Tobias

Thanks Tobias. I’m puzzled as to why Excel is involved. I thought all the plugin does is display tables on web pages. How, for example, are they saying there is a vulnerability in my table on this page?
https://www.whitegoodshelp.co.uk/washing-machine-spin-speed-efficiency/

@xyzed there isn’t a vulnerability in your table.

If you put a malicious formula in your table.
AND you exported it as a CSV.
AND you opened it in Excel.
AND you ignored the PROTECTED VIEW warning at the top of Excel.
AND you clicked ‘Enable Editing’.

THEN and ONLY THEN could Excel could run the malicious formula and you’d have a vulnerability.

Any text editor or plug-in that writes or exports a CSV file can do this, but because TablePress was used in the example to create the file so they’ve singled it out.

Thanks Mike. I know there isn’t, I should have phrased it better. I meant, what are “they” claiming is the theoretical vulnerability? Thanks for a clear explanation, which has helped me understand it properly. It’s as Tobias said, there’s no vulnerability that isn’t present on wordpress. In other words, anyone gaining unauthorised admin access to a website could add malicious code anywhere. And if they did insert malicious code into a table, it couldn’t cause any trouble unless a user carried out the steps you listed.

On all of my pages, there is no way for anyone to export my table as an option. Does this option exist in the plugin? In other words, if I found a setting in Tablepress could I enable an option for visitors to export my table? If so, I wonder how many users need to do that, and couldn’t it be disabled to solve the problem?

Hi,

@mikeverduin: I couldn’t really have explained it better, thank you!

(Just one remark, as @xyzed notes: The thing is not that, in step 1, “you” put a malicious formula into the table, but some bad guy after e.g. stealing the password of some other user on the site or after hacking the site in some other way.)

So, if one wants to see a security vulnerability here (and not just “user error” or “user fault” for ignoring/clicking away at least one explicit security warning from Excel (which will only be shown for potentially malicious formulas, but not for legitimate simple math formulas)), that vulnerability would be with Excel (for not properly sanitizing data that it reads in). The vulnerability would not be in the software/tool/plugin that was used to create the CSV file — as otherwise one would have to say that every programming IDE or even simple text editor like Notepad would have that vulnerability.

@xyzed: The export feature that is talked about is in the TablePress admin area, under the “Export” tab (looking like this). It’s useful and used a lot for e.g. backing up tables to CSV files that are then stored on a local computer, or having a file to be able to transfer a table to a different site, or to just continue working on a table in an external app.

Regards,
Tobias