08 Nov

The WPScan Vulnerability Database “Verified” False Report of Vulnerability in WordPress Plugin

In the past we have noted that among the many lies told by the company behind the Wordfence Security is that data they take from the WPScan Vulnerability Database (without disclosing it as the source) was “Confirmed/Validated”. At the time they did that, that data source was explicitly stating that they were not verifying vulnerabilities. More recently they have claimed to do that, but as shown again with a claimed vulnerability in the plugin WP Google Review Slider it turns out they are not actually doing that.

With the vulnerability they claim it is verified: [Read more]

08 Nov

Vulnerability Details: Security Bypass in Currency Switcher for WooCommerce

This post provides the details of a vulnerability in the WordPress plugin Currency Switcher for WooCommerce. not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

07 Nov

Our Proactive Monitoring Caught an CSRF/Arbitrary File Deletion Vulnerability in a WordPress Plugin with 70,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/arbitrary file deletion vulnerability in the plugin Backup Guard, which has 70,000+ installs. Despite being that popular, it doesn’t look like the security of the code has been well reviewed as the code that causes that lacks two basic security components. There are look to be additional security issues related to that insecurity, so we wouldn’t recommend using the plugin unless a thorough security review (like we do as part of our service and as a separate service) is done.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool flags the possibility of other issues in this plugin as well. [Read more]

06 Nov

Vulnerability Details: Privilege Escalation in CartFlows

This post provides the details of a vulnerability in the WordPress plugin CartFlows not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

05 Nov

Vulnerability Details: Cross-Site Request Forgery (CSRF) in Tidio Chat

This post provides the details of a vulnerability in the WordPress plugin Tidio Chat not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

04 Nov

Closures of Very Popular WordPress Plugins, Week of November 1

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

During the week of November 1, four of those plugins were closed. [Read more]

04 Nov

Vulnerabilty Details: Reflected Cross-Site Scripting (XSS) in If▸So

This post provides the details of a vulnerability in the WordPress plugin If▸So not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

04 Nov

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in Safe SVG

This post provides the details of a vulnerability in the WordPress plugin Safe SVG not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

04 Nov

Recently Closed WordPress Plugin with 70,000+ Installs Contains Authenticated Persistent XSS Vulnerability

The plugin Easy Columns was closed on the WordPress Plugin Directory on Sunday of last week. That is one of the 1,000 most popular plugins with 70,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) after looking at results that our Plugin Security Checker produced for the plugin.

An example of that issue involves the plugin’s ezcol_1quarter shortcode, which calls the function one_quarter(): [Read more]