Login

Vulnerability Insights

18 Jun 2023

Remote Code Execution (RCE) Vulnerability in Template Debugger

Today, Patchstack claimed there was a cross-site request forgery (CSRF) vulnerability in the latest version of the WordPress plugin Template Debugger, but didn’t provide the information needed to check on their claim. In looking into this, we found what probably is what they are labeling as a CSRF vulnerability, but it is actually a much more serious vulnerability. The vulnerability allows an attacker to run arbitrary code on the website.

[Read more]

12 Jun 2023

Hackers Likely Trying to Exploit This Partially Fixed Vulnerability in the WordPress Plugin Download Monitor

In the past few days we have seen what appear to be at least two hackers probing for usage of the WordPress plugin Download Monitor, which has 100,000+ installs. In looking into what might explain that, we found that there was a vulnerability that hackers would try to exploit that was partially fixed shortly before the probing started. Thankfully, there are some important limitations to it being exploitable.

The changelog for a recent version of the plugin had a concerning entry: [Read more]

17 May 2023

Latest Version of UpdraftPlus Fixes Cross-Site Request Forgery (CSRF) Vulnerability

The top listing in the changelog for the latest version of the 3+ million install WordPress plugin UpdraftPlus is about a security fix in the new version:

SECURITY: Fixed a missing nonce combined with a URL sanitisation failure, which could lead to a targetted XSS opportunity (if an attacker persuades a logged-in administrator to both re-authorise their connection to a remote storage (e.g. Dropbox) and then to follow a link personally crafted for their site before re-authorising whilst logged in, he can then store a fixed JavaScript payload in the WP admin area (they would need a further route to use that ability to cause any damage). Because of the need for the administrator to co-operate in multiple steps, this attack is very unlikely (but you should of course still update). [Read more]

15 May 2023

Wordfence Intelligence Vulnerability Database is Still Falsely Claiming Vulnerabilities Have Been Fixed

In reviewing changes being made to WordPress plugins used by our customers that are supposed to fix vulnerabilities, we often find that the vulnerabilities haven’t actually been fixed. Telling our customers that vulnerabilities have been fixed when we don’t actually know if they have been fixed would be unethical, but that is what we keep finding another provider, Wordfence, is doing with their Wordfence Intelligence Vulnerability Database. On their homepage, Wordfence call themselves the “Global Leaders in WordPress Security” and say you should trust them because of that. It’s unclear what would make someone the global leaders in WordPress security, but we can say they can’t be trusted whether they are the global leaders or not, as what we found below shows.

The changelog for the latest version of the WordPress plugin Simple Calendar claimed that a vulnerability was fixed in the plugin: [Read more]

15 May 2023

Information Disclosure Vulnerability in Link Whisper Free

Recently Patchstack very vaguely claimed that there is an unfixed vulnerability in the WordPress plugin Link Whisper Free. We really mean very vaguely, as the only information provided about the claimed vulnerability is that involves a “broken access control” and it doesn’t require authentication. They claimed that they received no reply from the author about the issue.

[Read more]

12 May 2023

Latest Elementor Version Fixes Privilege Escalation Vulnerability Issues

Last month, we contacted the developer of the 5+ million install (and maybe 13 million install) WordPress plugin Elementor about yet another issue with them failing to properly restrict access to the plugin’s functionality to only users that are intended to access it. The only response we got back was asking a subscription to their Elementor Pro plugin. That issue still hasn’t been fixed, but the latest version of the plugin, 3.13.2, did address some other instances of the issue that led to at least minor vulnerabilities.

The only changelog information given on the fix made was “Security Fix: Addressed security weaknesses in access management related functions”. Looking into this, so that we could properly inform the one or more of our customers using that plugin, we found that user capability checks were added in several locations. One example of that involves the file /modules/safe-mode/module.php, where the ajax_enable_safe_mode had such a capability check added to limit enabling a safe mode for the plugin to those with install_plugins capability (which normally only Administrators have): [Read more]