RAMP

Easy Content Deployment for WordPress. RAMP makes it easy to set up your content in your staging environment, then push those changes to your live site.

More information »

Use with caution

Confidence: Medium This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings.

More information about this recommendation

Findings

  • Overrides memory_limit option
  • Contains the ability to transmit data from one WordPress installation to another. A detailed security audit of the protocol used would be outside of the scope of a light-touch inspection such as this
  • Appears to use unserialize() as part of the protocol. Depending on what classes are available in this plugin or other active plugins, unserialize() can lead to arbitrary code execution
  • Unlinks files without checking they reside within a particular directory. Unknown if this can be exploited
  • Checks for new versions via HTTP instead of HTTPS, though it seems that there’s not much a MITM attack could achieve in this case
  • The plugin contains a comment which recommends disabling TLS verification “as a last resort” (this is probably a bad idea, even as a last resort): “Define RAMP_DISABLE_SSL_VERIFY as true to disable SSL certificate validation. This significantly reduces the security of SSL, but may be necessary in environments where WordPress cannot validate the production SSL certificate. Use this as a last resort if you are seeing this error: Error (-32300): transport error: http_request_failed SSL certificate problem: Invalid certificate chain”

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

  • Use of unserialize() could potentially lead to ACE in certain situations
  • Use of unlink() without checking for attempts at directory traversal

Read more about our failure criteria.

Fail Unsafe file or network IO

We conduct these inspections for our own use, and publish them in the hope that they may be useful to others. We don't guarantee that these findings are correct.

Please read this site's terms of service before taking any action based on information published here.

Testers
Tom Adams
Last revised
April 4, 2017
Versions tested
1.5.4
Plugin homepage
RAMP
Other versions

None listed