The changelog for the latest version of the WordPress plugin WordPress Hosting Benchmark tool is “fixed CSRF bug and WP nonce check vulnerability reported by patchstack.com, Dhabaleshwar Das.” In looking into that, we found that there was a more serious issue than cross-site request forgery (CSRF) at issue and it wasn’t fully fixed.
…
The first entry in the changelog for the latest version of the WordPress plugin Formidable Forms suggested that a cross-site request forgery (CSRF) vulnerability had been fixed in the new version:
…
One of the changelog entries for the latest version of the WordPress BetterDocs is “Improved: Security Enhancement”. That seems to be more than a bit of an understatement based on what was done.
…
Last year, Patchstack vaguely claimed that the plugin Maspik – Spam blacklist contained a cross-site request forgery (CSRF) vulnerability. About the only detail provided was tha it was supposed to have been fixed in version 0.7.9. The changelog for that version doesn’t suggest a vulnerability was fixed, as it reads “Bug fix (Please update ASAP!)”.
…
Back in November, the Automattic owned WPScan claimed there had been a vulnerability in a plugin that extends the very popular ecommerce plugin WooCommerce, which is also owned by Automattic. WPScan only got around to releasing any information about the claimed vulnerability this month. When we went to check on that, we found that the relevant code is still vulnerable, though less vulnerable than it was before. If the developer of the plugin was properly implementing the built-in security when using WordPress’ REST API they wouldn’t still have the vulnerability.
We are now four years in with the REST API being available in WordPress, but plugin developers are still not implementing a basic security element it introduced correctly. So it seems worth going through what is going wrong and how it can be fairly easily be fixed. [Read more]
We were recently alerted that one of our customers started using a WordPress plugin, Duplicate Post Page Menu & Custom Post Type, which has been closed on the WordPress Plugin Directory. The reason given for the closure is:
…
On Monday, our Plugin Vulnerabilities Firewall plugin blocked a couple of exploit attempts on our website that we didn’t already have data to identify the WordPress plugin being targeted. In investigating that, we found they were attempts to exploit a remotedcode execution (RCE) vulnerability in the 90,000+ install WordPress plugin LearnPress, which was fixed on December 25 in version 4.2.5.8. The developer disclosed there was a security fix in that version, but barely. One of the changelog entries for that version reads “Fixed: security.”. The vulnerability allows an attacker to run arbitrary PHP code on the website.
This may be connected to CVE-2023-6634, though the record for it is lacking the information needed to be sure of that. If it is connected to that, the CVE Record is wrong, as it says “all versions up to, and including, 4.2.5.7” are vulnerable, but the code attempted to be exploited was added in 4.2.5.7. [Read more]
Recently, Patchstack vaguely claimed there was an authenticated SQL injection vulnerability in the plugin Pre* Party Resource Hints. They were claiming it was only exploitable by users with the Administrator role, so that wouldn’t be a vulnerability, since they can already do the equivalent of that. In that situation, there might be a cross-site request forgery (CSRF)/SQL injection vulnerability if there is improperly secured code, though. While Patchstack provided no details, Anthony Thorne else pointed to code improperly secured against SQL injection. The developer has now made an improper attempt to fix that issue.
…
One of the changelog entries for the latest version of the WordPress plugin PDF Invoices & Packing Slips for WooCommerce is “Fix: potential SQL injection bug in Number Tools”. In looking into that, we found that this wasn’t a potential issue, but a vulnerability. Specifically, it is an authenticated SQL injection vulnerability exploitable by users with the Shop Manager role. It is also a cross-site request forgery (CSRF)/SQL injection vulnerability that could be exploited against Shop Managers and Administrators. We also found it hadn’t been fully fixed.
Looking at the changes made in the new version, we saw that in the file /includes/tables/class-wcpdf-number-store-list-table.php changes were being made related to user input being passed in to a SQL statement. That code is accessed when accessing this admin page from the plugin: /wp-admin/admin.php?page=wpo_wcpdf_options_page&tab=debug§ion=numbers . While the developer was already using a prepared SQL statement, they are, for some reason, passing user input directly in to it when they shouldn’t, which defeats the purpose of the protection offered by a prepared SQL statement. The new version still doesn’t resolve that, as that aspect of this wasn’t addressed. Instead, the developer passed the user input through sanitize_text_field(), which doesn’t stop SQL injection. That involves the variable $search: [Read more]