YITH Plugin Framework Vulnerability
Following the warning CVE-2019-16251 by Jerome Bruandet of NinTechNe in August 2019, we found out about two vulnerabilities related to our plugins with the plugin framework version 3.3.7 or lower.
What is the YITH Plugin Framework? And why is it used?
Wikipedia describes a framework like: <<[...]a logical architecture of support (often a logical implementation of a specific design pattern) on which a software can be designed and created>>. In simple terms, the framework creates a basic structure, common to all software projects. It would be impractical and most of all unuseful, to rewrite the entire common code from scratch. Moreover, this would violate the DRY (Don’t Repeat Yourself) principle according to which any kind of repetition in a software implementation should be avoided.
Therefore, while on one hand the use of a Framework simplifies the development and maintainability of the code, on the other - and this is the case - it has the downside to spread a possible bug on all the software products using it. Likewise, once the problem is solved, all the software using that framework will benefit from that fix.
NinTechNet is a company that deals with computer security. In addition to the security products they sell, they also make security tests on software products.
In August 2019, Jerom of NinTechNet contacted us to inform about two vulnerabilities in our framework. You can read the full note here: Authenticated settings change vulnerability in YIT Plugin Framework
The issue they encountered was related to any user logged with access to the administration area that could change the settings in the options panel also without being entitled. Following this warning, we started making tests, found the issue and fixed it.
In September 2019, we sent the new version of YITH Plugin Framework to the NinTechNet team that, after different tests, confirmed the issues were solved.
The new version of YITH Plugin Framework
On September 9, 2019, we released version 3.3.8 of the YITH Plugin Framework. All our plugins updated after this date include the fixed version of the framework.
How to verify whether the plugin version used was updated after September 9, 2019?
If you have access to the WordPress dashboard, you can simply verify the update status of your plugins in the Plugins section. Here, you can find the list of your plugins with related information about the updates available.
WordPress highlights the available updates with a yellow pipe. You can also view the changelog by clicking on the link View Details:
On the contrary, if you are not using one of our plugins yet and you want to verify the update status before installing it, you can proceed as follows:
you will only need to go to our site, yithemes.com, and visit the plugin landing page. On the right side of the page, you will find a box with all the information about updates.
For example, if you have purchased the plugin YITH WooCommerce Multi Vendor when visiting its landing page, you will find the box shown below that includes information of the updates:
At the bottom of this box, you will find a link to view the complete changelog of the plugin. You can, therefore, verify when a specific version has been released:
The procedure is the same as for premium plugins, but the changelog is available on wordpress.org. For example, by visiting YITH WooCommerce Multi Vendor landing page on wordpress.org, you will find the complete changelog in the tab Development:
Please note: ALL versions released after September 9, 2019, both FREE and PREMIUM, include framework version 3.3.8 or higher, even when the changelog doesn't show the caption Update: Plugin framework.
All YITH plugins currently include version 3.3.8 or higher of the plugin framework which provides security fixes.
Using the Open Source code has the advantage to let anyone see the software source code, try it and report bugs or vulnerabilities to the developer so to contribute in keeping a clean, safe and performing code.
As a general rule, it would be good to keep the whole platform updated. This is the best way to be sure the platform is safe and supported and can benefit from the last features and fixes added by developers over time.
We want to thank the NinTechNet team for notifying us about the issue and Jerome for providing us with the technical specifications of the issue and testing the new version of our framework after different fixes.