The report relates to the ‘Advanced Tag Code’ feature within the plugin:
This was added some years ago in response to a request from a customer who had internal reasons to deviate from our standard method of loading the Tealium utag.js file.
There’s no easy way to santize the input of that field without also invalidating the intended functionality. I’m also aware of a few customers who are actively using it, so deprecating it is also not ideal.
On a standard WordPress installation there are other areas of the admin console where users with Administrator privileges can edit files and potentially inject code. For example, the file editor within the template section. One option might be to disable the Advanced Tag Code option within the Tealium plugin if we can see that the template file editor has also been disabled.
It looks like the file editor can be disabled by adding define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config file. We could potentially use this value to determine if we should enable the advanced tag code option in our plugin, on the assumption that if a user is willing to accept the risk of administrators being able to add code directly to template files, they’re probably also ok with the same functionality existing in a plugin.
However, there are probably other ways to disable template edits (e.g. directory permissions at a server level). How are you mitigating the risk of admins using the template editor on your instances of WordPress?
Thanks for sharing those details. We do operate a VDP (https://tealium.com/vdp/) I’ll check with our InfoSec team to see if the author has shared any further details around the steps to reproduce the issue.
The information on PatchStack states that administrator privileges are required to perform an attack. If that’s the case, then I suspect that the author is referring to the plugin feature where you can provide your own tag code that will be added to your WordPress templates. Whilst I can see an argument for this being exploited maliciously, if a bad actor had gained admin access, then it would be one of many areas within the WordPress platform where code could be injected into templates.
The low severity/likelihood rating might explain why this hasn’t been picked up by Wordfence.
Hi @des2019, this is the first time we’ve been made aware of this. If you could share some more detailed information on the warnings you’ve seen we can investigate further. Thanks.
@mikeg_de thank you. The admin page was calling join() with the array to join followed by a string of the separator, this has been deprecated in PHP 8 and it is now expected that the separator will come first followed by the array to join/implode. I’ve just released version 2.1.16 to address this.
We’ve just released a new version of the plugin (2.1.14) which will create an additional data layer variable called user_role. You should be able to use this when creating load rules in TiQ to exclude logged in users based on role.
Hope that’s useful – we felt that removing the tag completely for logged in users might prove confusing.
It should be possible. I’d recommend contacting our support team on [email protected] and explain what you’re seeing. They should be able to provide some suggestions.
That’s a good idea, thank you for suggesting it. I’ll look into working it into the next release.
I think the current user role should also be added to the data layer. Doing so would enable you to build load rules in TiQ around the user and achieve a similar thing with a little more control.
I’ve released a new version of the plugin (2.1.8) which includes a fix that was submitted to us through Github. I believe that it’s the same issue that you’re running into, could you update and let me know if the error is resolved?
I must admit this is the first report of this that I’ve encountered, and my test site doesn’t seem to have any issues regardless of data layer style. Which version of WP are you running? Do your error messages reveal any further detail that might be useful for debugging this?
It looks like ACF is maybe using the standard WordPress meta data concept to just store a reference to the data for each custom field, rather than the actual data.
ACF has an export feature, so you might be able to manipulate the output of that into a list of field names in a comma separated list to add to the data layer exclusions option in the Tealium plugin settings.
If you run something like this, pasting in the code from an ACF PHP export in a script outside of WordPress that should hopefully do the trick:
<?php
$names = array();
function register_field_group($groups) {
global $names;
foreach ($groups['fields'] as &$value) {
if (!empty($value['name'])) {
$names[] = $value['name'];
}
}
}
/* -- PASTE IN OUTPUT FROM ACF PHP EXPORT --
e.g...
if(function_exists("register_field_group"))
{
register_field_group(array (
));
}
*/
echo implode(', ', $names);
