According to Patch Stack, <= 2.1.17 is vulnerable to Cross Site Scripting. I see the warning when logging to ManageWP, but do not see it listed as a security issue by Wordfence. Will there be an upgrade to your plugin, or should I find a replacement plugin?
Hi @des2019, this is the first time we’ve been made aware of this. If you could share some more detailed information on the warnings you’ve seen we can investigate further. Thanks.
What puzzles me most is that Wordfence makes no mention of this vulnerability, and I haven’t been able to find anything about it other than what Patch Stack is showing.
Thanks for sharing those details. We do operate a VDP (https://tealium.com/vdp/) I’ll check with our InfoSec team to see if the author has shared any further details around the steps to reproduce the issue.
The information on PatchStack states that administrator privileges are required to perform an attack. If that’s the case, then I suspect that the author is referring to the plugin feature where you can provide your own tag code that will be added to your WordPress templates. Whilst I can see an argument for this being exploited maliciously, if a bad actor had gained admin access, then it would be one of many areas within the WordPress platform where code could be injected into templates.
The low severity/likelihood rating might explain why this hasn’t been picked up by Wordfence.
The report relates to the ‘Advanced Tag Code’ feature within the plugin:
This was added some years ago in response to a request from a customer who had internal reasons to deviate from our standard method of loading the Tealium utag.js file.
There’s no easy way to santize the input of that field without also invalidating the intended functionality. I’m also aware of a few customers who are actively using it, so deprecating it is also not ideal.
On a standard WordPress installation there are other areas of the admin console where users with Administrator privileges can edit files and potentially inject code. For example, the file editor within the template section. One option might be to disable the Advanced Tag Code option within the Tealium plugin if we can see that the template file editor has also been disabled.
It looks like the file editor can be disabled by adding define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config file. We could potentially use this value to determine if we should enable the advanced tag code option in our plugin, on the assumption that if a user is willing to accept the risk of administrators being able to add code directly to template files, they’re probably also ok with the same functionality existing in a plugin.
However, there are probably other ways to disable template edits (e.g. directory permissions at a server level). How are you mitigating the risk of admins using the template editor on your instances of WordPress?
The plugin was installed by the marketing company. I checked the settings at they’re not using the Advanced Tag Code section. I’m going to find out if they can provide me with a conversion tracking code that I can manually place into the header or footer.
Too bad there’s no way for you to patch the security risk so that Wordfence stops putting up that warning.
@des2019 excuse the change it user, the screenshot in my last message was flagged for review and now my ‘Tealium’ user seems to be blocked from responding to this thread!
I’ve released an updated version of the plugin today (v2.1.18). This update adds input sanitizing to all non-html fields that the plugin creates. The ‘Advanced Tag Code’ field isn’t sanitized for the reasons I previously mentioned, but it is now disabled if you disable the template file editor in your wp-config file.
To be sure I’m understanding this upgrade: It will only solve the security problem if I do the upgrade AND also disable the template file editor in your wp-config file?
@des2019 apologies, there was an issue with 2.1.18 when running PHP8, I’ve released 2.1.19 to address this.
Regarding:
It will only solve the security problem if I do the upgrade AND also disable the template file editor in your wp-config file?
Disabling the template editor will also disable the plugins ability to allow admin users to add code to templates. On the assumption that if a site owner is happy for admins to have the ability to edit template code in one area of WordPress then they’re also ok for that to be true within a plugin too.
