WP Spamshield Security Threat

WP Spamshield is a malicious plugin that is targeting plugins on the WordPress plugin repository to disable them and cause harm to users sites. WP Spamshield has been removed from the WordPress plugin repository because of the malicious code it contained. One of the plugins that is being targeted is Plugin Organizer. Scott Allen, who is the author of WP Spamshield, has moved WP SPamshield to Code Canyon and is now charging people to put his malicious code on their sites. If you are running this plugin you should immediately remove it to prevent it from modifying your database and causing harm to your site. It targets other plugins and even tries to remove files that the user has installed. Here are some discussions on the topic of why it was eventually removed from the WordPress repository.

https://wordpress.org/support/topic/conflict-with-wp-spamshield-plugin/

https://wordpress.org/support/topic/post-type-plugins-wont-save-settings/

In those 2 support threads I pointed out to Scott Allen, the developer of WP Spamshield, that he was re-indexing the $_POST array incorrectly. Changing the $_POST array in the first place is a hack. And it shouldn’t be done because it can cause instability. Which is exactly what happened. So I released a fix for Plugin Organizer that stopped his code from re-indexing the $_POST array. He responded by releasing a version of WP Spamshield that disabled Plugin Organizer and deleted all files related to it. I then released a version of Plugin Organizer that deactivated WP Spamshield before it could do any of that. He in turn released a new version of WP Spamshield that deleted Plugin Organizer from within an MU plugin file that loaded before PluginOrganizerMU.class.php.

Rather than continue to release countermeasures to Scott Allen’s malicious code I reported him to the WordPress admins and they told both of us to remove our code that disables the other. Which I was more than happy to do since that’s all I wanted in the first place. After 2 weeks he had still not released a clean version of WP Spamshield. That’s when the WordPress admins got tired of waiting and removed WP Spamshield from the repository.

Since Red Sand Media Group has released their malicious code on Code Canyon I can’t look at their code to see what new hacks they have added. I have no doubt the new version is even more harmful to users since they don’t have to follow the guidelines laid out by wordpress.org. In the last version available on the WordPress repository the code targets several other plugins from within the MU plugin file that deletes files before the site has started to load standard plugins. It also targets database tables and options for other plugins in the various “compatibility” classes contained within the standard plugin files in an attempt to break those other plugins.

Here are the 2 functions that target Plugin Organizer. The first is located in includes/class.compatibility.php at line 306 of version 1.9.21. As you can see it completely disables Plugin Organizer by turning off selective plugin loading. Then it modifies the saved plugin load order which has the potential to crash a site if the user had changed the load order to fix a conflict.


static public function deconflict_po_01() {
		/**
		 *	Make sure WP-SpamShield does not get disabled or hindered, for security reasons.
		 *	There is an activation notice warning users not to use the two together, but this is here for fallback mitigation.
		 */
		if( !is_admin() ) { return; }
		$pref = 'PO_'; $cb = '__return_zero';
		$all_options = wp_load_alloptions();
		$fix_options = array( 'admin_disable_plugins', 'disable_by_role', 'disable_mobile_plugins', 'disable_plugins', 'plugin_order', );
		foreach( $all_options  as $option => $value ) {
			if( 0 === strpos( $option, $pref ) ) {
				$slug = str_replace( $pref, '', $option );
				if( 0 === strpos( serialize( $value ), WPSS_PLUGIN_NAME ) || isset( $fix_options[$slug] ) ) { update_option( $option, 0 ); continue; }
			}
		}
		foreach( $fix_options as $i => $v ) {
			add_filter( 'pre_update_option_'.$pref.$v, $cb, 100, 1 );
		}
	}

The second function is located in includes/class.security.php at line 828 of version 1.9.21. It re-indexes variables in the post array without taking into account that the variables could be multidimensional associative arrays. Which is the case with Plugin Organizer. It turns those associative arrays into indexed arrays and creates instability in the platform.


static public function early_admin_intercept() {
		global $HTTP_RAW_POST_DATA, $pagenow;
		/* Do non-POST requests first (GET, HEAD, etc.) */
		if( 'POST' !== WPSS_REQUEST_METHOD ) {
			return NULL;
		}
		/* Then do POST requests... */
		if( empty( $_POST ) && empty( $HTTP_RAW_POST_DATA ) ) { return NULL; }
		if( 'widgets.php' === $pagenow || 'customize.php' === $pagenow ) { return NULL; }
		if( rs_wpss_is_admin_sproc() || rs_wpss_is_doing_cron() || rs_wpss_is_installing() || rs_wpss_is_cli() || parent::is_customize_preview() ) { return; }
		if( empty( $_POST ) && !empty( $HTTP_RAW_POST_DATA ) ) { $_POST = array( 'HTTP_RAW_POST_DATA' => $HTTP_RAW_POST_DATA ); }
		if( !empty( $_POST ) && is_array( $_POST ) ) {
			$pref = 'PO_';
			foreach( $_POST as $k => $v ) {
				if( 0 === strpos( $k, $pref ) || !empty( $_POST[$pref.'nonce'] ) || ( !empty( $_GET['action'] ) && 0 === strpos( $_GET['action'], $pref ) ) ) {
					if( is_array( $v ) ) {
						foreach( $v as $ak => $av ) {
							if( 0 === strpos( $av, WPSS_PLUGIN_NAME ) ) { unset( $v[$ak] ); }
						}; $_POST[$k] = ( WPSS_Utils::is_array_num( $v ) ) ? WPSS_Utils::sort_unique( $v ) : $v;
					}
				}
			}
		}
		return FALSE;
	}

The class.compatibility.php file is filled with functions that hobble other plugins. All of these things are done without the user’s knowledge. WP Spamshield is malicious code masquerading as a security plugin. I’m surprised it wasn’t removed from wordpress.org sooner. A vulnerability scan done by a third party turned up some less than reputable activity that WP Spamshield does in the background without the users knowledge. You can see the results of this scan by clicking the link below. You can also see an example of Scott Allen’s inability to see any problems with anything he does in the comments on this scan.
Scan results

To prevent WP Spamshield from disabling Plugin Organizer I have released a version with new option names that aren’t being targeted. This was only a temporary fix and I’m not sure if it is even working anymore since Red Sand Media Group has released their code somewhere else and I’m sure has changed their plugin to completely delete mine.

The developers of WP Spamshield have made a blog post full of false accusations that you can see here. In the blog post they are saying people should google Jeff Sterup and Plugin Organizer to see the “pattern of security issues and vulnerabilities” that Plugin Organizer has. The google search they recommend is here. All this google search turns up is vulnerabilities related to other plugins that were falsely attributed to Plugin Organizer because it has a similar name. For instance CVE-2012-6511 and CVE-2012-6512. If you look at the CVE for either of these by clicking the link you will see that they are related to a different plugin called Organizer that was abandoned several years ago. A plugin that is in no way related to me. You can view the page for that plugin at https://wordpress.org/plugins/organizer/.

As far as I know Plugin Organizer has never suffered from any “security issues and vulnerabilities”. I’ve worked as a software developer for 20 years and have had a lot of experience working with securing very high profile and visible sites and applications. In my professional career I have worked with PCI compliance and have been brought in to secure numerous application that were not built with security in mind. I welcome anyone to scan Plugin Organizer and point out security vulnerabilities so they can be fixed. None have been brought to my attention yet.

The blog post at the Red Sand Media Group’s site is full of things that are easily proven wrong by looking at the commits to our plugins in the WordPress SVN repository and reading the support threads. Scott Allen is a very dishonest person with a questionable grasp of security principles that tries to lecture everyone who questions him about how knowledgeable he is. I would suggest everyone remove Scott Allen’s code from their sites and stay far away from anything he’s involved in.