Login

Vulnerability Insights

29 Feb 2024

AI Helps to Detect Incomplete Security Fix Being Made to 1+ Million Install WordPress Plugin WP File Manager

We often find that attempts to fix vulnerabilities in WordPress plugin have been incomplete or failed entirely, including with vulnerabilities could certainly be targeting. For us to be able to find that, we have to know that a vulnerability was supposed to have been fixed. Developers don’t always disclose that vulnerabilities have been fixed. While that could be defensible in limited circumstances for serious vulnerabilities likely to be exploited, it usually isn’t that situation when it happens. One method we have to determine that vulnerabilities have been attempted to be fixed is using machine learning, a form of artificial intelligence (AI), to try to detect relevant changes being made to the code of plugin in the WordPress Plugin Directory. That monitoring flagged just such a change made yesterday to the 1+ million install plugin WP File Manager. The changelog for the change wouldn’t suggest a security fix as it reads, “Fixed Language issue.”

Looking at the changes made, it isn’t hard to see why it was flagged, as a nonce check, which prevents a type of vulnerability, cross-site request forgery (CSRF), was being added: [Read more]

28 Feb 2024

WooCommerce Vulnerability Listed as Being Fixed in Upcoming Release Was Already Fixed

In January, multiple WordPress security providers falsely claimed that a vulnerability had been fixed in the WooCommerce plugin. The situation was made more problematic because one of them said it was fixed in a version of WooCommerce that was newer than the version currently available. This situation was partially caused by the developers of WooCommerce having a changelog entry for security improvement included in the changelog for the wrong version of the plugin. That has happened again, only this time there really is a vulnerability, though a minor one, being fixed.

Yesterday, a beta version of WooCommerce 8.7.0 was submitted to the WordPress Plugin Directory. The changelog added for it suggests that will be released on March 13. One of the entries was flagged by our systems as possibly referring to a fix for a vulnerability: [Read more]

26 Feb 2024

Authenticated Information Disclosure Vulnerability in Download Manager

While reviewing the second attempt to address a vulnerability related to failure to properly sanitize, validate and or escape shortcode attributes in the WordPress plugin Download Manager. We found another issue that still hasn’t been addressed. It involves a shortcode located in the file /src/Category/Shortcodes.php. The shortcode wpdm_category_link calls the function categoryLink() in that file:

[Read more]

21 Feb 2024

Privilege Escalation Vulnerability in Brave Conversion Engine

One of the changelog entries for the latest version of the Brave Conversion Engine is “Fixed: SSFR vulnerability.” That would presumably be a reference to a server-side request forgery (SSRF) vulnerability. Looking into that, it seems the SSRF element of that is limited, but there is still a vulnerability that hasn’t been resolved here. We have reached out to the developer about that and offered to help them address it.

[Read more]

21 Feb 2024

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Download Manager

One of the changelog entries for the latest version of the WordPress plugin Download Manager suggested that an authenticated persistent cross-site scripting (XSS) vulnerability through a shortcode was being fixed, as it reads “Fixed input sanitization issues with short-code parameters.” In looking into the changes made, it looked like the fix was incomplete. A bit of testing confirmed that. We have reached out to the developer to let them know the fix was not completed and offer to help them address this.

[Read more]

20 Feb 2024

Cross-Site Request Forgery (CSRF) Vulnerability in IP2Location Country Blocker

The changelog for the latest version of the WordPress pluginĀ IP2Location Country Blocker is “Fixed CSRF replace on API key value.” In looking into that, we found that there is still the same cross-site request forgery (CSRF) issue with a related function in the plugin.

[Read more]

20 Feb 2024

Settings Change Vulnerability in ThemeIsle SDK

One of the changelog entries for the latest version of the WordPress plugin Super Page Cache for Cloudflare is “Enhanced security.” In looking into that, we found that there was a settings change vulnerability being fixed in the ThemeIsle SDK, which is included in the plugin. That also is included in other plugins, some of which have yet to be updated. We have notified ThemeIsle that several of their plugins have yet to receive the update.

[Read more]

15 Feb 2024

Information Disclosure Vulnerability in Manage Notification E-mails

One of the changelog entries for the latest version of the WordPress plugin Manage Notification E-mails is “FIXED: Medium vulnerability in settings module. Thanks to Wordfence for reporting this.” Looking at the changes made in that version, we found that the new version restricted access to exporting the plugin’s settings to users with the manage_options capability, so Administrators. Previously even those not logged in to WordPress could do that, as the proof of concept below confirms.

[Read more]

13 Feb 2024

Hacker Likely Targeting This Incompletely Fixed Authenticated Plugin Installation Vulnerability in WordPress Plugin NextMove Lite

Today we saw a hacker probing for usage of the WordPress plugin NextMove Lite on our websites with the following request:

/wp-content/plugins/woo-thank-you-page-nextmove-lite/assets/css/xlwcty-public-rest.css [Read more]