Login

Vulnerability Insights

11 Jun 2024

Hacker Targeting Recently Incompletely Fixed Vulnerability in WordPress Plugin Icegram Express

Over the weekend, we had a hacker attempt to exploit a SQL injection vulnerability that turned out to be one fixed recently in the 90,000+ install WordPress plugin Icegram Express on our website. We don’t use the plugin, so the exploitation attempt appears to be part of an untargeted attempt to exploit this.

Upon reviewing the relevant code, we found that it still isn’t properly secured, and neither is other, similarly accessed, code. We have reached out to the developer about that. Based on the continued insecurity, we would recommend not using the plugin unless it has a more thorough security review and all the issues are addressed. [Read more]

11 Jun 2024

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in WP jQuery Lightbox (WP Lightbox)

One of the changelog entires for the latest version of the WordPress plugin WP jQuery Lightbox (WP Lightbox) is “Minor security fix (issue only affected authenticated users).” Checking in to that, we found that referenced an authenticated persistent cross-site scripting (XSS) vulnerability where someone with the ability to edit posts could cause JavaScript code to run when clicking on a lightbox entry with a lightbox.

[Read more]

10 Jun 2024

Reflected Cross-Site Scripting (XSS) Vulnerability in Dynamic QR Code Generator

The WordPress plugin Dynamic QR Code Generator was closed on the WordPress plugin directory last year with the only explanation given that it had a “Security Issue.” No further details of the issue were given. Prior to that last year, a security provider had vaguely claimed it contained a reflected cross-site scripting (XSS) vulnerability, but again with no further details. Looking at the code, we found there is a reflected XSS vulnerability in the most recent version of the plugin.

[Read more]

5 Jun 2024

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in GreenShift

The changelog for the latest version of the WordPress plugin GreenShift reads “Added: Lighbox improvements and security improvements for social share block, typography options.” The security improvement referenced in that appears to refer to adding  escaping when outputting user input from a block. Even in the code being modified the escaping is incomplete, which is confirmed with the proof of concept below. That means there is currently an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin. Other similar code also doesn’t have need escaping. We have notified the developer of that and offered to help them address that.

[Read more]

3 Jun 2024

Developer of Million+ Install WordPress Plugin Discloses Security Vulnerability Without Making Update Available

A lot of things can go wrong in trying to fix vulnerabilities in WordPress plugins, sometimes things go wrong in an intentional way. That is the case with a vulnerability in the 1+ million install WordPress plugin Loco Translate. A week ago, the developer submitted a change for the plugin that fixes a vulnerability in the plugin. What they didn’t do was to release a new version of the plugin so that those using the plugin can update to a fixed version. While sometimes developers forget to bump the version number of the plugin, causing that situation. Here the developer is making changes to the plugin publicly before releasing a new version. That isn’t a good idea for security vulnerabilities, since it is possible to monitor for security changes, as we do, and notice such a situation.

In the submission to fix the vulnerability, the developer wrote “Fixed a missing security check – thanks Nosa Shandy.” The referenced security check is a nonce check, which prevents cross-site request forgery (CSRF). CSRF would allow an attacker to cause someone else to take an action they didn’t intend to. The vulnerability being fixed allowed that to occur when changing or resetting the advanced configuration options of a plugin or theme translation bundle from the plugin. [Read more]

31 May 2024

Hacker Targeting Incompletely Fixed Vulnerability in WordPress Plugin YITH WooCommerce Ajax Search

A hacker has started targeting a vulnerability in the WordPress plugin YITH WooCommerce Ajax Search, which has been incompletely fixed. That vulnerability allows an attacker to cause malicious JavaScript code to run on an admin page of the website. While a recent update protects those using the updated version from exploitation, it doesn’t fully address the problem, so any websites updated after it was exploited are still vulnerable. While not all older versions of the plugin are vulnerable, it looks like significant portion of the 70,000+ websites using the plugin could still be using a vulnerable version based on the data provided by WordPress about its usage and download count.

Yesterday, our Plugin Vulnerabilities Firewall blocked multiple attempts to exploit the vulnerability on our website. The exploit attempts came from an IP address, 93.174.93.127, registered to IP Volume inc: [Read more]

13 May 2024

Numerous Security Providers Fail to Catch That WP Engine Didn’t Fix Vulnerability in 100,000+ Install WordPress Plugin

When it comes to the very common occurrence of vulnerabilities in WordPress plugins failing to really be fixed, many providers are often involved in that failure. That is the case with a recently disclosed vulnerability in the 100,000+ install plugin Genesis Blocks.

That plugin comes from WP Engine, which markets itself as having a dedicated security team, though, one that keeps “your website vulnerabilities up to date” instead of fixing them: [Read more]