We were recently alerted that one of our customers started using a WordPress plugin, Duplicate Post Page Menu & Custom Post Type, which has been closed on the WordPress Plugin Directory. The reason given for the closure is:
…
On Friday, the WordPress plugin Contact Form 7 Extension For Mailchimp, one of the 1,000 most popular plugins on the WordPress plugin directory was closed. That plugin has 90,000+ installs. No reason has been given for the closure. There is a recent claim that the plugin contains an unfixed vulnerability, but there is a complete lack of details provided for anyone trying to verify that (no surprise considering the source, Patchstack). In quickly checking over the plugin, we found it contains multiple vulnerabilities caused by a lack of basic security. We would recommend against using the plugin unless a thorough security review has been done and all issues have been fixed.
On Sunday, the developer released a new version, with the changelog reading “Addressed security reports and performed a full security check.” Despite that, none of the issues mentioned below, which we had noticed before that change, have been resolved. [Read more]
As part of our recent focus on providing better information to customers of our main service about the security of plugins they use, we extended monitoring we already did on the closure of the most popular WordPress plugins on WordPress’ plugin directory to those being used by our customers. We monitor those closures because they are often caused by security vulnerabilities, sometimes very serious vulnerabilities. That monitoring notified us yesterday that a customer used plugin Toolset Types has been closed. According to the message on the plugin’s page, it was closed in 2019, so this must be a new customer or a website newly using the plugin:
This plugin has been closed as of April 4, 2019 and is not available for download. This closure is permanent. Reason: Author Request. [Read more]
On Monday, the WordPress plugin JivoChat was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure. Before we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about, there had been a security update made to the plugin. Though, an incomplete one.
…
On Monday, the WordPress plugin WP SVG Icons was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.
The plugin registers the function svg_delete_custom_pack_ajax() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]
Yesterday, the WordPress plugin WP Extra File Types was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a cross-site request forgery (CSRF) vulnerability that can be used to change the plugin’s setting and add malicious JavaScript code to those, which is cross-site scripting (XSS).
The plugin registers a settings page for itself, which calls the function admin_page(): [Read more]
Today, the WordPress plugin Child Theme Generator was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin lacks protection against cross-site request forgery (CSRF), which could allow an attacker to cause a logged in Administrator to take action they didn’t intend. Among those is the ability to cause them to delete arbitrary directories on the server the website is on.
When the plugin’s admin page is accessed (which is limited to Administrators) the file /admin/class-child-theme-generator-admin.php is loaded and that in turn causes the function section_remove() in the file to run: [Read more]
On Monday, the WordPress plugin Responsive Menu was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 100,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin contains a fairly serious security vulnerability, an authenticated persistent cross-site scripting (XSS) vulnerability, as well as other vulnerabilities because of the poor security of the code.
We tested and confirmed that two of the existing protections in our new firewall plugin for WordPress would individually stop exploitation of the authenticated persistent XSS vulnerability, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. An additional protection being added to the plugin in the next release, based on a vulnerability fixed and exploited in another plugin last week, also would provide protection against this. [Read more]
Yesterday, the WordPress plugin Quiz And Survey Master was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin.
In June, while looking in the possibility there had been a vulnerability fixed in the plugin, we found a fairly serious vulnerability in the plugin, so the poor quality of the security we found this time wasn’t surprising. While we didn’t quickly find a serious vulnerability, we did easily confirm that there is a reflected cross-site scripting (XSS) vulnerability that currently exists in the plugin. [Read more]
The WordPress plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory on Monday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities that we should be warning users of the plugin that also use our service, we found just such a vulnerability in the plugin. The plugin has a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which would allow an attacker to cause JavaScript code to be run on the website. The latter vulnerability is a type that hackers are known to target.
We tested and confirmed that our upcoming firewall plugin for WordPress protects against the exploitation of the persistent cross-site scripting (XSS) vulnerability. [Read more]