Hacker Targeted Plugin

28 Feb 2025

Persistent Cross-Site Scripting (XSS) Vulnerability in Traffic Manager

Our Plugin Vulnerabilities Firewall blocked an attempt to exploit a vulnerability we traced back to the plugin Traffic Manager. The plugin was closed on the WordPress Plugin Directory in September 2022 for a claimed security issue. No details were provided. Based on the timing of the closure and public claims about vulnerabilities in the plugin, that would appear to be related to a different security vulnerability than the hacker was trying to exploit. This security issue they were trying to exploit is a persistent cross-site scripting (XSS) vulnerability.

The details provided with the block show that an AJAX request was made with the action used UserWebStat. And the value of a POST input “page” sent with the request was a script tag. Traffic Manager makes the function UserWebStat() in the file /traffic-manager.php accessible through an AJAX request with that action for those logged in to WordPress as well those not logged in: [Read more]

24 Feb 2025

Settings Change and Persistent Cross-Site Scripting (XSS) Vulnerabilities in Donate visa

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin Donate visa in third-party data we monitor. The probing was done by requesting a file from the plugin if the plugin had existed on a website, /wp-content/plugins/donate-visa/readme.txt. The plugin was closed on the WordPress Plugin Directory on November 5, 2024. The reason given for the closure is “Security Issue.” Nothing was provided to vet the claim there was a security issue. Competitors of ours have claimed there is an unfixed vulnerability that allows attackers “with Subscriber-level access and above, to perform an unauthorized action.” They provided nothing to back that up. Looking at the code, we found what they appear to be referring to, but as is so often the case, they didn’t bother to do proper vetting and got a basic detail wrong. The real vulnerability is one you would expect to be exploited.

The only code that looks like it could be related to the claimed vulnerability is the code that handles saving the plugin’s settings. That is handled by the function donate_visa_dvsmp_ajax() in the file /includes/class-donate-visa-dvsmp-plugin.php. That doesn’t include any security checks: [Read more]

14 Feb 2025

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Compress on our websites. The probing was done by requesting a file from the plugin if the plugin had existed on our website, /wp-content/plugins/wp-compress-image-optimizer/readme.txt. We don’t use that plugin on that website or any of them. So what might explain a hacker’s interest in the plugin? Last year the WordPress security provider Wordfence claimed that a vulnerability had been fixed in the plugin, of a type that sounds like it could explain a hacker’s interest. Here is part of their description:

This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. [Read more]

20 Jun 2024

Arbitrary File Upload Vulnerability Being Exploited in Startklar Elementor Addons

Recently, our firewall plugin blocked an attempt on one of our websites that appeared to be trying to exploit a vulnerability that would allow an attacker to upload a .php file to a website. We were able to trace that back to a vulnerability in the plugin Startklar Elementor Addons.

The logging for the block attempt showed that the attempt was trying to access an AJAX accessible function in a WordPress plugin that would be accessed with the action set to startklar_drop_zone_upload_process. That plugin makes a function named process() accessible through that to those logged in to WordPress as well as those not logged in: [Read more]

14 Jun 2024

WordPress Isn’t Warning Users of Plugin With Unfixed Vulnerability That Is Being Exploited

This week, our Plugin Vulnerabilities Firewall plugin has blocked several attempts across our websites to exploit a vulnerability in a WordPress plugin. In investigating the attacks, we found that the vulnerability exists in the most recent version of the BuddyPress Cover plugin. That plugin was closed on the WordPress Plugin Directory on May 28:

[Read more]

11 Jun 2024

Hacker Targeting Recently Incompletely Fixed Vulnerability in WordPress Plugin Icegram Express

Over the weekend, we had a hacker attempt to exploit a SQL injection vulnerability that turned out to be one fixed recently in the 90,000+ install WordPress plugin Icegram Express on our website. We don’t use the plugin, so the exploitation attempt appears to be part of an untargeted attempt to exploit this.

Upon reviewing the relevant code, we found that it still isn’t properly secured, and neither is other, similarly accessed, code. We have reached out to the developer about that. Based on the continued insecurity, we would recommend not using the plugin unless it has a more thorough security review and all the issues are addressed. [Read more]

31 May 2024

Hacker Targeting Incompletely Fixed Vulnerability in WordPress Plugin YITH WooCommerce Ajax Search

A hacker has started targeting a vulnerability in the WordPress plugin YITH WooCommerce Ajax Search, which has been incompletely fixed. That vulnerability allows an attacker to cause malicious JavaScript code to run on an admin page of the website. While a recent update protects those using the updated version from exploitation, it doesn’t fully address the problem, so any websites updated after it was exploited are still vulnerable. While not all older versions of the plugin are vulnerable, it looks like significant portion of the 70,000+ websites using the plugin could still be using a vulnerable version based on the data provided by WordPress about its usage and download count.

Yesterday, our Plugin Vulnerabilities Firewall blocked multiple attempts to exploit the vulnerability on our website. The exploit attempts came from an IP address, 93.174.93.127, registered to IP Volume inc: [Read more]

14 Feb 2024

Arbitrary File Upload Vulnerability in AI Engine

We recently saw a hacker probing for usage of the WordPress plugin AI Engine on our website and third-party websites with the following request:

/wp-content/plugins/ai-engine/readme.txt [Read more]

13 Feb 2024

Hacker Likely Targeting This Incompletely Fixed Authenticated Plugin Installation Vulnerability in WordPress Plugin NextMove Lite

Today we saw a hacker probing for usage of the WordPress plugin NextMove Lite on our websites with the following request:

/wp-content/plugins/woo-thank-you-page-nextmove-lite/assets/css/xlwcty-public-rest.css [Read more]

12 Feb 2024

SQL Injection Vulnerability in Booking Calendar

We recently saw a hacker probing for usage of the WordPress plugin Booking Calendar on our website and third-party websites with the following request:

/wp-content/plugins/booking/readme.txt [Read more]