13 Feb

Vulnerability Details: Authenticated Arbitrary File Deletion Vulnerability in Woocommerce CSV Import

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

One of the areas where we think that the wordpress.org Plugin Directory could probably improve how they handle things is ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

12 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Pipes

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

When we started developing our Plugin Security Checker (which is now accessible through a WordPress plugin of its own) it only ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

12 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in cformsII

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Recently we were looking into another possible security issue that had been claimed to have been fixed in the plugins To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

07 Feb

Vulnerability Details: Privilege Escalation Vulnerability in Accelerated Mobile Pages

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

A little less than a month ago the plugin Accelerated Mobile Pages was removed from the Plugin Directory for a ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

06 Feb

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Retina 2x

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

An advisory released by the JPCERT/CC and IPA states that a reflected cross-site scripting (XSS) vulnerability had been fixed in version ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

20 Dec

Vulnerability Details: Restricted File Upload Vulnerability in Gallery by BestWebSoft

While looking into what hackers might be targeting plugin Sharexy, we took a look at what appeared to be related request to see if a file that previously had existed in the plugin Gallery by BestWebSoft was on our website. The file requested was /wp-content/plugins/gallery-plugin/upload/php.php, which has been claimed to have an arbitrary file upload vulnerability as of version 3.06. Though at least by our definition that isn’t true because the extension of the files that could be uploaded through that file is limited.

The file /upload/php.php defines what extension uploaded files can have with the following line:

$allowedExtensions = array("jpeg", "jpg", "gif", "png");

The following code is then used to make sure the file is only using one of the allowed extensions:

127
128
129
130
131
132
133
134
135
$pathinfo = pathinfo($this->file->getName());
$ext = $pathinfo['extension'];
		$filename = str_replace(".".$ext, "", $pathinfo['basename']);
		//$filename = md5(uniqid());
 
if($this->allowedExtensions && !in_array(strtolower($ext), $this->allowedExtensions)){
	$these = implode(', ', $this->allowedExtensions);
	return "{error:'File has an invalid extension, it should be one of $these .'}";
}

The claim of an arbitrary file upload vulnerability showed uploading a file with the name lo.php.gif. Normally web browsers only pay attention to a file’s final extension, so even if you were to upload a file with PHP code and that file name, it wouldn’t run.

Our guess with that sort of thing is that usually someone trying to exploit that would be under the mistaken belief that you could get PHP code to run. It is possible that some people would be using that type of issue with the intention of uploading images files, as is reported to have occurred with the plugin WP Job Manager. This type of issue could be combined with a local file inclusion (LFI) vulnerability.

In version 3.1.1 the file was removed and the file upload capability was moved in to the main code of the plugin, removing the ability for those not logged in to WordPress to access it.

Wider Notice

Due to the fact that this issue might be being targeted by hackers we are adding it to the free data that comes with our service’s companion plugin, so that even those not using our service yet can be warned if for some reason they are using a really old version of this plugin (the issue was fixed five and half years ago) or if they see attempts to exploit this and wondering what is going on. That means we are also making this post publicly accessible, unlike most of our plugin vulnerabilities details posts.

Proof of Concept

The following proof of concept will upload the selected file with a “jpeg”, “jpg”, “gif”, or “png” file extension to /wp-content/plugins/gallery-plugin/upload/files/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/gallery-plugin/upload/php.php" method="POST" enctype="multipart/form-data">
<input type="file" name="qqfile" />
<input type="submit" value="Submit" />
</form>
</body>
20 Dec

Vulnerability Details: Arbitrary Email Sending Vulnerability in Sharexy

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

In looking into what seemed to be a hacker probing for usage of the plugin Sharexy to possible target ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

18 Dec

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in BuddyPress Members Only

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

One of the ways we keep track of vulnerabilities in WordPress plugins is by monitoring the Support Forum for threads ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

01 Dec

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in User Role Editor

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

All three changelog entries for version 4.38 of the plugin User Role Editor are security related, possibly indicating that some sort of ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.

01 Dec

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Special Text Boxes

Recently the web scanner service Detectify has been vaguely disclosing minor vulnerabilities in a number of WordPress plugins. It seems like they are aware that they could notify the developers of these, but usually haven’t been doing it. One of the more recent batch was an “Authenticated XSS” vulnerability in the plugin Special Text Boxes.

In a previous post we looked at a reflected cross-site ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a WordPress plugin security researcher please contact us to get free access to all of our Vulnerability Details posts.