20 Aug

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in WP 1 Slider

This post provides the details of a vulnerability in the WordPress plugin WP 1 Slider not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

16 Aug

Closures of Very Popular WordPress Plugins, Week of August 16

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

[Read more]

15 Aug

Vulnerability Details: Remote Code Execution (RCE) in WordPress to Jekyll Exporter (Jekyll Exporter)

This post provides the details of a vulnerability in the WordPress plugin WordPress to Jekyll Exporter not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

15 Aug

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Maintenance

The plugin Maintenance was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a couple of  less serious ones related to a more serious one. Through cross-site request forgery (CSRF) it would be possible for an attacker to cause arbitrary files to be uploaded as well as malicious JavaScript code to be saved to the plugin’s settings. There also appear to be additional security issues in the plugin.

[Read more]

14 Aug

Authenticated PHP Object Injection Vulnerability in Backup and Staging by WP Time Capsule

With WordPress plugins that should have obvious heightened security risk we have often found that the security is poor, maybe even poorer that the average plugin. The authenticated PHP object injection vulnerability we ran across in the plugin Backup and Staging by WP Time Capsule is a good example of that insecurity.

[Read more]

13 Aug

WordPress Support Forums Moderators Again Delete Messages Pointing Out Their Behavior is Bad for the WordPress Community

Yesterday we noted how a moderator of the WordPress Support Forum was getting in the way of people looking for help dealing with the exploitation of a fixed vulnerability in the plugin Simple 301 Redirects – Addon – Bulk Uploader. Today, when we went back to the topic that was the source of that post we found that many of replies on that topic, including almost of all the ones we had quoted, had been removed. In total, only 3 of the previous 11 replies remained. Some of those removed pointed out how what the moderator was doing was bad for the WordPress community. The moderators replies were also removed. You can see the replies at that time of previous post here and what is there at this moment here. That is in line with the kind inappropriate behavior by those moderators we have seen for years and had led to us starting a protest against it nearly a year ago.

[Read more]

13 Aug

Wordfence Security Plugin Failed to Protect Against Exploitation of 301 Redirects – Addon – Bulk CSV Uploader Vulnerability

Over at our main business today we have been dealing with a website that was hacked due to the now fixed vulnerability in the plugin 301 Redirects – Addon – Bulk CSV Uploader that started getting widely exploited to redirect websites shortly after it was fully disclosed by the discoverer on Saturday (in this case the redirect was to tomorrowwillbehotmaybe.com). Simply keeping plugins up to date at all times would have avoided websites getting hacked as it was fixed on Thursday. If you were a customer of our service you would have been warned of the high likelihood of that vulnerability being exploited on Monday of last week (we knew about the vulnerability because the discoverer had obliquely disclosed the vulnerability some time before Monday).

[Read more]

13 Aug

Reflected Cross-Site Scripting (XSS) Vulnerability in Import Social Events

One of the changelog entries for the latest version of Import Social Events is “IMPROVEMENT: Some Security Improvements.” Looking at the changes made we saw that sanitization was being added in a number of locations. The first instances of that though didn’t have any security impact, so we ran the previous version of the plugin through our Plugin Security Checker tool to see if it flagged any possible issues. That flagged the code below as possibly being vulnerable, which we then confirmed. Looking at the changes made that wasn’t fixed.

[Read more]