13 Sep

When an Old Vulnerability Gets a New Vulnerability Report

As part of preparing an upcoming enhancement to the service, we have recently been taking a look at what traffic to our website indicates as to what hackers are targeting. Through that we noticed a connection between the existence of YouTube videos on exploiting vulnerabilities and what vulnerabilities are getting exploitation attempts. In the past few days we have seen a pickup in requests for pages on our website relating to the plugin Cherry Plugin. In looking for any recent mentions of vulnerabilities in this plugin we found a Youtube video showing how to exploit an arbitrary file upload vulnerability in it and an report on that vulnerability.

We had actual already looked at the report when it was released several days ago as part of our monitoring of various vulnerability database websites. In a reminder as to the low quality of many of these reports, the report list the “version” as being 3.8, which could not refer to the plugin’s version since the most recent version is The vulnerability being reported was actually disclosed and fixed more than a year and half ago, which isn’t mentioned in the report. Since the plugin is not available through the Plugin Directory the normal update mechanism for plugins doesn’t come in to play and there is more chance that someone would still have an outdated version and vulnerable version installed at this time.

This is a good example of where our service can be handy even when not alerting you to a vulnerability in the current version of the plugin, as you can see what vulnerabilities have existed in other versions of the plugin, so you could have checked to see this vulnerability was already disclosed and fixed. With the support that comes with the service you could also get in touch with us if you have a question about something like this.

Since the we had already seen exploit attempts against this vulnerability it has been included in the free data that comes with service’s companion plugin for several months, so even if you haven’t signed up for the service yet you would have been warned if you were still using a vulnerable version of the plugin.

The developers of the Cherry Plugin still haven’t fixed a less severe vulnerability that we discovered in the plugin and notified them of back in June.