20 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Ultimate FAQ

This post provides the details of a vulnerability in the WordPress plugin Ultimate FAQ not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

20 May

Vulnerability Details: Privilege Escalation in myStickymenu

This post provides the details of a vulnerability in the WordPress plugin myStickymenu not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

20 May

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in myStickymenu

This post provides the details of a vulnerability in the WordPress plugin myStickymenu not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

17 May

Closures of Very Popular WordPress Plugins, Week of May 17

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

[Read more]

17 May

WordPress Support Forum Moderator Jan Dembowski Gets in the Way of People Dealing With Hacks Due to WP Live Chat Support

On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.

[Read more]

16 May

Is This Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability What Hackers Would be Interested in Woocommerce Products Price Bulk Edit For?

As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is Woocommerce Products Price Bulk Edit, which has 20,000+ installs according to wordpress.org and was last updated over two years ago.

[Read more]

16 May

This Persistent Cross-Site Scripting (XSS) Vulnerability Seems Likely to Be What Hackers Would be Interested in FB Messenger Live Chat For

As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is FB Messenger Live Chat (Live Chat with Facebook Messenger), which has 30,000+ installs according to wordpress.org. In looking over the plugin we found that it contains a persistent cross-site scripting (XSS) vulnerability, which is a type of vulnerability hackers have been exploiting widely recently.

[Read more]

16 May

Is This Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability What Hackers Would be Interested in Toggle The Title For?

As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is Toggle The Title, which has 10,000+ installs according to wordpress.org and was last updated five years ago. In looking over the plugin we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability, which could possibly be what hackers would be interested in it.

[Read more]

16 May

Why Doesn’t Sucuri Know That Attacks Can Be Automated Even if They Require Authentication?

In trying to improve security one of the things that is a big impediment is the shear amount of misleading and false information out there, which gets in the way of addressing what actually needs to be addressed to fix the problems with security. A lot of that comes from security journalists repeating claims made by security companies that are not accurate, instead of the journalists realizing that they are indications that security companies don’t understand things they should. In Bleeping Computer’s coverage of a vulnerability in the plugin ¬†WP Live Chat Support (which is only one of multiple in it), discovered by Sucuri, they state this:

[Read more]

16 May

GDPR Functionality in WordPress Plugin WP Live Chat Support Allows Anyone to Download Contents of Chats Handled Through It

Yesterday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) in the plugin WP Live Chat Support, which was also fixed yesterday. That vulnerability is likely to be exploited soon. As we started looking over things while adding the vulnerabilities to our data set yesterday, so we could warn the customers of our service if they are using an impacted versions, we found that there are multiple additional security issues caused in part the same security issue that was partially fixed (yes, even the vulnerability fixed, was only actually partially fixed). There is, for example, another setting change vulnerability, though one that doesn’t look to lead to a more serious vulnerability. What stood out more for the seriousness, but also what type of functionality the vulnerability is in, is an information disclosure vulnerability that exposes chat logs and meta data related to those chats to anyone, which occurs through General Data Protection Regulation (GDPR) functionality. So functionality related to data protection does the opposite.

[Read more]