Login

Closed Plugins

12 Aug 2019

Vulnerability Details: HTML Injection in cforms2

The plugin cforms2 was closed on the WordPress Plugin Directory on July 19.  Since then a new version of the plugin has been submitted with one of the changelog entries being “bugfix: validate {IP} being an IP address, preventing CSRF or other similar attacks”. It isn’t clear how cross-site request forgery (CSRF) could be related to that validation. Looking at the changes made we found the validation did occur and also that the other changelog entry, “other:    remove {Referer} substitution variable” was related as both changes involve user input that might not have been seen that way. What we found was that previously without the IP address validation you could cause HTML code to be included in emails normally sent out to the admin of the website. That was suggested to be something that could be abused by hackers with another similar vulnerability recently.

[Read more]

9 Aug 2019

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Social LikeBox & Feed

The plugin Social LikeBox & Feed was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a cross-site request forgery (CRSF)/cross-site scripting (XSS) vulnerability.

The plugin registers its admin page to be accessible by Administrators: [Read more]

7 Aug 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Photo Gallery Portfolio

The changelog for the latest version of the plugin Photo Gallery Portfolio is “fix security issues”. Looking at the changes made there we found a reflected cross-site scripting (XSS) vulnerability looks to have been fixed. The plugin was closed on the Plugin Directory on July 8, though possible for a different reason.

[Read more]

5 Aug 2019

Vulnerability Details: Multiple in Simple 301 Redirects – Addon – Bulk CSV Uploader

With our full disclosures of vulnerabilities in protest of the continued inappropriate behavior of the WordPress Support Forum Moderators, one of the criticisms we have gotten is that we are notify our customers before disclosing the vulnerabilities, despite that not being the case. We have always publicly disclosed vulnerabilities at the same time we start warning our customers of them, doing otherwise would raise some serious ethical issues. Other security providers don’t follow that type of practice, one of them being the makers of the NinjaFirewall plugin. Two of the vulnerabilities they are attempting to protect their customers from (though probably only doing so partially) that they haven’t publicly disclosed are a persistent cross-site scripting (XSS) vulnerability and a privilege escalation vulnerabilities in the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader. That plugin was closed on the Plugin Directory on July 28.

[Read more]

2 Aug 2019

Closures of Very Popular WordPress Plugins, Week of August 2

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and one of them have not been reopened. [Read more]

2 Aug 2019

WordPress Plugin Directory Team Missed Settings Change Vulnerability in Maps Widget for Google Maps

Earlier this week one of the most popular WordPress plugins, Maps Widget for Google Maps, which has 100,000+ installs, was closed on the Plugin Directory and then reopened after the name was changed (it was previously Google Maps Widget) and security changes were made. One of the security changes doesn’t really make sense to us. In the file /gmw-tracking.php this line was changed:

62

if (isset($_GET['gmw_tracking']) && $_GET['gmw_tracking'] == 'opt_in') {
2 Aug 2019

Plugin New to WordPress Plugin Directory with “400,000+ Installs” Is Lacking Basic Security

The plugin Essential Grid Portfolio – Photo Gallery was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. When we started looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that the situation with the plugin seemed odd. The plugin has 400,000+ installs, but was only added to the Plugin Directory on July 22.

In looking into what might explain that discrepancy led us to some oddities. Here is the bio for the developer on their website, navyplugins.com: [Read more]

30 Jul 2019

Reflected Cross-Site Scripting (XSS) Vulnerability in WooCommerce Variation Swatches (Variation Swatches for WooCommerce)

The plugin WooCommerce Variation Swatches (Variation Swatches for WooCommerce) was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 60,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a reflected cross-site scripting (XSS) vulnerability.

The plugin’s admin page is made accessible to WordPress user with the “edit_theme_options” capability: [Read more]

26 Jul 2019

Closures of Very Popular WordPress Plugins, Week of July 26

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and both of them have not been reopened. [Read more]