7

When you install a plugin in WordPress you can choose to activate or deactivate it.

Let's say you have a plugin of which the latest version is vulnerable to XSS for example and you're waiting for a security fix to be released. Should I disable or uninstall the plugin? What is recommended?

A plugin is just a bunch of PHP (and other) files and when it's installed, it's in a directory on the web server so if a function is called from the outside by an attacker, it will get executed no matter if the plugin is "active" or not. A mitigation from a WAF or some htaccess rules to deny access might be used to block access to the vulnerable files until they are updated to the new (safe) version.

It is better to uninstall the plugin and delete all the files, unless it's not possible to do so because it would alter the website too much and you don't want to give up to some functions.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
Fabio
  • 183
  • 1
  • 6
  • If a file is on a system, it can probably be executed. It might not have quite as much access as it would when executed within Wordpress (e.g. it might not have DB access, if it uses Wordpress specific methods), but a malicious plugin would be able to use generic methods which would probably work. – Matthew Jun 22 '16 at 14:53
  • Define "inactive". If wordpress doesn't actively link to it but the file is still there, it can and will be found by bots specifically looking for its URL. – Shadur Jun 25 '16 at 13:48
  • yes also https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline recommends to remove those plugins. – Fabio Jun 25 '16 at 13:51

2 Answers2

7

Depends on the plugin, they can be if there is say a PHP script that can be called directly (doesn't depend on wordpress code or includes the right statements to load the wordpress libraries it needs).

You can effectively attempt to block direct access to the files via htaccess/server configuration but there are ways around that. Removing it entirely is better in general after all you can't run a file that doesn't exist.

Ultimately it depends on the vulnerability and the script it's in.

ewanm89
  • 2,043
  • 12
  • 15
0

There are some vulnerabilities that will work even when the plugin is disabled. Delete plugins that have vulnerabilities with no patches: inactive plugins aren't doing anything for your site.

For example, Wordfence reported on a vulnerability in the Total Donations Plugin that exploited the following code:

$action = esc_attr(trim($_POST['action']));
 
//For logged in users
add_action("wp_ajax_".$action , $action); 
add_action("wp_ajax_nopriv_".$action , $action);
 
if(is_user_logged_in())
do_action('wp_ajax_'.$action);
else
do_action('wp_ajax_nopriv_'.$action);

The explanation they give for this is as follows:

The script, the-ajax-caller.php, loads the site’s WordPress environment and subsequently registers and executes whichever AJAX action is passed, even when Total Donations is deactivated. This can also be used to call any arbitrary function, regardless of whether it’s associated with the Total Donations plugin at all, posing additional security risks on its own.

Laurel
  • 129
  • 7