Login

Closed Plugins

19 Sep 2019

Recently Closed WordPress Plugin with 100,000+ Installs Contains Reflected XSS Vulnerability

The plugin Click to Chat was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 100,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a reflected cross-site scripting (XSS) vulnerability.

In a reminder of the general insecurity of WordPress plugins that vulnerability appears unrelated to the cause of the closure, as there was a change made to the plugin since its closure which involved renaming the plugin from Click to Chat for WhatsApp. [Read more]

19 Sep 2019

Recently Closed WordPress Plugin with 100,000+ Installs Contains Vulnerability Hackers Would be Interested In

The plugin Easy Social Feed was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 100,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a type of vulnerability that hackers would likely be interested in exploiting, an authenticated persistent cross-site scripting (XSS) vulnerability. We found that immediately when we started looking into the plugin, so there may be more issues. Considering how insecure the code leading to this is, we would recommend only using this plugin if it has gone through a thorough security review.

In a reminder of the general insecurity of WordPress plugins that vulnerability appears unrelated to the cause of the closure, as there was a change made to the plugin since its closure which involved renaming the plugin from Easy Facebook Likebox and the Subversion message when doing that was “Facebook name changed because of compliance”. [Read more]

6 Sep 2019

Closures of Very Popular WordPress Plugins, Week of September 6

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week four of those plugins were closed and three of them have not been reopened. [Read more]

3 Sep 2019

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Ultimate Google Analytics

The plugin Ultimate Google Analytics was closed on the WordPress Plugin Directory on Friday. That is one of the 1,000 most popular plugins with 50,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a cross-site site request forgery (CSRF)/cross-site scripting (XSS) vulnerability.

The plugin has an options page that causes the function uga_options() to run: [Read more]

3 Sep 2019

Settings Change Vulnerability in Search Exclude

The plugin Search Exclude was closed on the WordPress Plugin Directory on Friday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a settings change vulnerability.

The plugin registers the function saveOptions() to run during admin_init: [Read more]

28 Aug 2019

Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in Customize Feeds for Twitter

One of the changelog entries for the latest version of Customize Feeds for Twitter is “Some security issue fixed”. In looking at the changes made in that version to see if there was a vulnerability being fixed that we should adding to the data set our service, it looked like the code being changed might still be vulnerable and a quick check of things confirmed that. The plugin has been closed on the Plugin Directory since August 8, so it is possible that that the security change was made in response to team behind that, but they missed the vulnerability here.

The plugin’s admin page is registered to be accessible those logged in as Administrators: [Read more]

23 Aug 2019

Closures of Very Popular WordPress Plugins, Week of August 23

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and both of them have been reopened. [Read more]

22 Aug 2019

GDPR Plugins for WordPress Continue to Be Insecure

The European Union’s General Data Protection Regulation (GDPR) is a data protection law that when it comes to WordPress websites is causing them to be less secure, not because of the law itself, but because the plugins for dealing with that haven’t been properly secured. In October of last year we noted that the plugin WP DSGVO Tools (GDPR) contained a PHP object injection vulnerability, which then remained in the plugin for two more months. The plugin was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service we found the possibility of one of those, though the relevant code that makes it operational looks to only be available in the commercial version of the plugin. We did confirm a less serious related vulnerability exists.

With just the vulnerability we confirmed there are multiple pretty obvious security problems, so there likely are more security issues with the plugin. [Read more]

16 Aug 2019

Closures of Very Popular WordPress Plugins, Week of August 16

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and none of them have been reopened. If you were a customer of our service you could have already been warned if you were using either of the two we found contain security vulnerabilities. [Read more]

15 Aug 2019

Cross-Site Request Forgery (CSRF)/Arbitrary File Upload Vulnerability in Maintenance

The plugin Maintenance was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a couple of  less serious ones related to a more serious one. Through cross-site request forgery (CSRF) it would be possible for an attacker to cause arbitrary files to be uploaded as well as malicious JavaScript code to be saved to the plugin’s settings. There also appear to be additional security issues in the plugin.

The plugin’s admin page is accessible to those with manage_options capability, which normally only Administrators have: [Read more]