Login

Vulnerability Insights

20 Jul 2023

Wordfence Falsely Claims It Has to Rely on Inaccurate Plugin Vulnerability Data from Patchstack

On an unfortunately too regular basis, we are finding that vulnerabilities that were supposed to be fixed in plugins being used by our customers haven’t been fully fixed and in some cases haven’t been fixed at all. That is the case with a vulnerability that was recently supposed to have been fixed in the 200,000+ install plugin Ultimate Member. In looking into that, we ran across several other problems involving competing data providers that are not being honest about their data and its sourcing.

In our recent monitoring of possible discussions about plugin vulnerabilities in the WordPress Support Forum, we have seen a Wordfence employee claiming that Wordfence doesn’t have control over their own plugin vulnerability data. Here was one instance of that: [Read more]

18 Jul 2023

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability Fixed in Rank Math SEO

The changelog for the latest version of the WordPress plugin Rank Math SEO, which has 2+ million installs, suggested that a security vulnerability had been fixed, but didn’t credit a discoverer. (It did mention a company that redirects vulnerability reports away from developers and WordPress.) Checking in to that, we found that a minor authenticated persistent cross-site scripting (XSS) vulnerability exploitable through a shortcode had been fixed.

Only one change was made in that version, which makes it easy to see what was going on. [Read more]

14 Jul 2023

Information Disclosure Vulnerability in WP Email Capture

Yesterday, we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Email Capture. Looking at the latest version we found a number of places where the code was insecure, but nothing that looked a vulnerability that a hacker would exploit. One of the recent versions of the plugin had changelog that might explain a hacker’s interest:

[Read more]

12 Jul 2023

Information Disclosure Vulnerability in Ninja Forms Incompletely Fixed

The recent version 3.6.26 of the WordPress plugin Ninja Forms includes what the developer describes as a number of “security enhancements”. One of those being “[p]revent unauthorized download of submission”. That sounds less like an enhancement and more of a vulnerability. We confirmed it was a vulnerability and that it had been incompletely fixed.

Looking at the changes made in that version, we found that this appeared to relate to legacy functionality that still exists in the plugin despite not normally being used. [Read more]

29 Jun 2023

Now Fixed Role Change Vulnerability in Ultimate Member Was Zero-Day

On Tuesday, a new version of the WordPress plugin Ultimate Member was released. The changelog for that version, 2.6.4, didn’t mention a security fix, but there was an upgrade notice for that version, which reads “This version fixes a security related bug. Upgrade immediately.” Unfortunately, it looks like upgrade notices in the readme.txt for plugins, like that one, is only shown on the WordPress Updates admin page, /wp-admin/update-core.php.

Yesterday, another version was released, 2.6.5, which had a changelog entry that is fairly clear as to what was at issue: [Read more]