Login

Not Really a WordPress Plugin Vulnerability

14 Dec 2018

Not Really a WordPress Plugin Vulnerability, Week of December 14

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Database Disclosure Vulnerabilities in CSS & JavaScript Toolbox, JoeBooking, MailPoet Newsletters, MiwoPolls, PDF Catalog for WooCommerce, Simple Ecommerce Shopping Cart Plugin, WP Bannerize,WPide, and WPL

Related reports of claimed database disclosure vulnerabilities were released for CSS & JavaScript ToolboxJoeBookingMailPoet NewslettersMiwoPollsPDF Catalog for WooCommerceSimple Ecommerce Shopping Cart PluginWP BannerizeWPide, and WPL. While the person behind these reports believes that the file they are listing for each of the plugins is a database backup, in reality they are files that came with the plugins. It hard to understand how they didn’t realize that as the contents are exactly the same for the same plugin file on every website they listed, but they apparently didn’t. [Read more]

7 Dec 2018

Not Really a WordPress Plugin Vulnerability, Week of December 7

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Database Disclosure Vulnerabilities in ARI Adminer, BackWPup, Batch-Move Posts wp plugin, Caldera Forms, Cart66 Lite, Contact Us Page Builder, Events Made Easy, Exports and Reports, L4 Shopping Cart, Orbis, Paid Memberships Pro, Search Engine, Shopp, WP EasyCart, and WP Editor

Related reports of claimed database disclosure vulnerabilities were released for ARI AdminerBackWPupBatch-Move Posts wp plugin, Caldera FormsCart66 Lite, Contact Us Page BuilderEvents Made EasyExports and ReportsL4 Shopping CartOrbisPaid Memberships Pro, Search EngineShoppWP EasyCart, and WP Editor. While the person behind these reports believes that the file they are listing for each of the plugins is a database backup, in reality they are files that came with the plugins. It hard to understand how they didn’t realize that as the contents are exactly the same for the same plugin file on every website they listed, but they apparently didn’t. [Read more]

30 Nov 2018

Not Really a WordPress Plugin Vulnerability – Week of November 30, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Arbitrary File Deletion Vulnerability in WP-DBManager

When you combine two entities that don’t seem to be concerned about the accuracy of their claims of vulnerabilities related to WordPress not surprisingly the results could be bad. Earlier this week the WPScan Vulnerability Database added this entry for a claimed arbitrary file deletion vulnerability in the plugin WP-DBManager: [Read more]

23 Nov 2018

Not Really a WordPress Plugin Vulnerability – Week of November 23, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

SQL Injection Vulnerability in Zotpress

Earlier this week we had a series of requests that look to be trying to exploit a vulnerability in the plugin Zotpress in the file zotpress.rss.php. We didn’t have any vulnerabilities for that plugin in our data set and the most recent version of the plugin didn’t contain that file. In then looking into this we found that the requests matched a report of a claimed SQL injection vulnerability from over 7 years ago. In looking into this we found that the claimed vulnerability wasn’t really one as it is stated that “magic_quotes has to be turned off” for it to work, but that is always on in WordPress even if otherwise disabled. [Read more]

19 Oct 2018

You Shouldn’t Assume That Wordfence Security or Other Security Tools Actually Provide Effective Protection

When it comes to explaining how so much money is spent on security while the results of that spending don’t seem to be appearing, a lot of the explanation seems like it can be found in the almost complete lack of evidence that those products and services marketed as providing protection provide effective protection. Considering that those are often promoted with extraordinary claims of their capabilities that seems to indicate those claims are baseless or that the developers actually know that they are false since if they actually had evidence to support them it seems unlikely they wouldn’t present that.

Everything we have seen over the years is there really is a lack of effectiveness and some combination of a lack of understanding by their developers that they are not effective and developers not caring if they do since they can make a lot of money while selling something that doesn’t have to work well (if at all). Certainly one of those would apply to the company behind the tied for most popular WordPress security plugin, Wordfence Security (the reality behind the other plugin is also telling about popularity not equally providing good security). For example, they previously very prominently claimed that their plugin “stops you from getting hacked” without any qualification (and still make the claims less prominently), despite that simply being false. [Read more]

12 Oct 2018

Not Really a WordPress Plugin Vulnerability – Week of October 12, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Arbitrary File Viewing Vulnerability in Advanced uploader

Last week we wrote about the security community’s problem understanding the basics when it comes to arbitrary file viewing and local file inclusion (LFI) vulnerabilities. We ran across that again with a false report of an arbitrary file viewing vulnerability in the plugin Advanced uploader. On one of our websites we had this attempt from a hacker to try to exploit what they thought was a vulnerability in the plugin: [Read more]

5 Oct 2018

Not Really a WordPress Plugin Vulnerability – Week of October 5, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Arbitrary File Upload Vulnerability in Wp-Insert

If there really was an unfixed arbitrary file upload upload vulnerability in a WordPress plugin with 30,000+ active installations, as was claim to be the case with a report of a vulnerability in the plugin Wp-Insert, that would be a big deal since it would be basically guaranteed to be exploited. But it isn’t true. [Read more]

31 Aug 2018

Not Really a WordPress Plugin Vulnerability – Week of August 31, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) Vulnerabilities in Jibu Pro and Quizlord

Nearly identical reports of claimed cross-site scripting (XSS) vulnerabilities in Jibu Pro and Quizlord were released this week by the same person. In both cases these are not really vulnerabilities because the only users that would have the capability to take the actions listed would normally have the unfiltered_html capability, which allows them to do the equivalent of cross-site scripting (XSS). That capability is something that normally only Editor and Administrator-level users have. In the case of Jibu Pro, only those types of users could take the actions listed as the relevant page is restricted those with the delete_others_posts capability, which normally also only is give to those user roles. For Quizlord, only Administrator-level users can take the actions as they relevant page is restricted to users with the manage_options capability, which is normally only only give to Administrator-level users and if other users are given that capability they could normally create Administrator-level users through what they are permitted to do with that capability. [Read more]

24 Aug 2018

Not Really a WordPress Plugin Vulnerability – Week of August 24, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) Vulnerability in Tagregator

Like a lot of false reports of cross-site scripting (XSS) vulnerabilities the claim that there is one in the plugin Tagregator is based on a lack of understanding that WordPress has an unfiltered_html capability that permits Administrator (and Editor) level users from doing the equivalent of XSS. [Read more]

11 May 2018

Not Really a WordPress Plugin Vulnerability – Week of May 11, 2018

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) Vulnerability in CKEditor WYSIWYG for Gravity Forms

The changelog entry for version 1.14.0 of the plugin CKEditor WYSIWYG for Gravity Forms is: [Read more]