How Our Customers Helped Make WordPress Plugins More Secure, Week of February 16
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.
Cross-Site Request Forgery (CSRF) Vulnerability Fixed in Formidable Forms
In January, we found that the developers of the 300,000+ install Formidable Forms had incompletely addressed an issue with cross-site request forgery (CSRF) in the plugin. We found that because at least one of our customers was using the plugin and there was a new version released that suggested there might be a fix for that type of issue. Earlier this week, the developer release an update that fixed the remaining issue.
Unfixed Vulnerability in Event Tickets
While reviewing a vague claim that the 80,000 + install Event Tickets plugin had fixed a vulnerability in its latest version, as at least one of our customers is using the plugin, we found the vulnerability maybe wasn’t fixed. As a vulnerability that at least partially matches the vague claim still exists. We contacted the developer about that and it sounds like they blew off a previous report about this. This time they at least said they would look into it, but so far it hasn’t been fixed.
Unfixed Vulnerability in SEOPress
While reviewing a claim that the 200,000 + install SEOPress plugin had recently fixed a vulnerability, as at least one of our customers is using the plugin, we found the vulnerability issue wasn’t fully addressed. The original vulnerability claim didn’t even describe a vulnerability, but further checking confirmed that in a slightly different situation, there was a vulnerability and it had yet to be fully fixed. The developer has said that it should be fixed next month, so those using the plugin are currently using vulnerable software.
Free Warning for Unfixed Vulnerability in NextMove Lite
After seeing a hacker probing for the 20,000+ install NextMove Lite, we found the plugin contains a vulnerability that wasn’t actually fixed that a hacker would likely be interested in exploiting. We also found another plugin from the same developer, the 7,000+ install Finale Lite is also vulnerable. We reached out to the developer, XLPlugins, about that, but they haven’t responded.
The plugins remain in the WordPress Plugin Directory despite that. Other data providers are incorrectly saying the vulnerability in NextMove Lite has been fixed and are not warning about the other plugin. As this vulnerability in NextMove Lite looks to be targeted by hackers, we added accurate data on it to the free data that comes with our Plugin Vulnerabilities plugin.
Unfixed Security Issue in Manage Notification E-mails
While reviewing a claim that the 100,000 + install Manage Notification E-mails plugin had recently fixed a vulnerability, as at least one of our customers is using the plugin, we found that a related security issue still exists. We reached out to the developer about that yesterday, but we haven’t heard back from them.