Login

Vulnerability Insights

8 Jan 2024

WordPress Hasn’t Provided Fix for Severe Vulnerability Being Exploited in the Frontend Admin Plugin

According to WordPress’ security page, their security team can provide fixes for severe vulnerabilities in WordPress plugins. When they would do that is almost entirely opaque, as they say “if the vulnerability is severe, the plugin/theme is pulled from the public directory, and in some cases, fixed and updated directly by the Security Team.” We keep running into situations where that isn’t happening, when it should. The latest incident involves an arbitrary file upload vulnerability in the plugin Frontend Admin that was publicly, but vaguely, claimed to have existed on December 27. It took until January 4 for the plugin to be closed on the WordPress Plugin Directory. No update has been provided, despite the ease of providing a fix, as we will show. We have offered for years to provide fixes to WordPress in situations like this, without them taking up the offer.

Despite the already public claim it contained a serious vulnerability, WordPress isn’t warning that the plugin is vulnerable, instead only saying on the listing for the plugin that “This closure is temporary, pending a full review.”: [Read more]

5 Jan 2024

Hackers Relying on WordPress Security Providers’ Information to Target Vulnerabilities in WordPress Plugins

Today, we had a hacker try to exploit a vulnerability recently fixed in the WordPress plugin WP Compress on our website. In looking into that, we found another instance where it looks like hackers are relying on information coming from WordPress security providers to determine what vulnerabilities to target.

In the logging for our own firewall plugin, it showed an attack blocked for this URL, /wp-content/plugins/wp-compress-image-optimizer/fixCss.php?css=wp-content/../wp-config.php: [Read more]

2 Jan 2024

Cross-Site Request Forgery (CSRF) Vulnerability in WP Server Health Stats

The changelog for the latest version of the WordPress plugin WP Server Health Stats is “Fixed CSRF vulnerability (CVSS 3.1 score) reported by Patchstack.” Looking at the changes made we found that referred to attempting to address an issue that allows an attacker to cause someone logged in to WordPress to purge the plugin’s cache without them intending it, which would be a cross-site request forgery (CSRF) vulnerability. The developer had attempted to fix that it in the new version, but didn’t do so correctly, so the really minor vulnerability still exists.

[Read more]

7 Dec 2023

Digging In To The Authenticated Arbitrary File Upload Vulnerability in Elementor

Yesterday, an update was released for the 5+ million install WordPress plugin Elementor that has a changelog suggesting a security issue was addressed, “Fix: Improved code security enforcement in File Upload mechanism.” While looking into this, we found that Elementor appears to have multiple issues. We found the plugin did have an arbitrary file upload vulnerability, which you could argue is now fixed or not. Based on what we know now, we would say it is fixed, but there is still insecurity that remains, but there may be something we are missing. (Update 12/8: Elementor has released a second fix to address the remaining insecurity.) As we have been saying since April, we would recommend not using plugins from Elementor based on repeated incidents of poor security handling.

Other Providers’ Claims

It appears based on that changelog, the WordPress security provider Wordfence claimed there was a fixed or unfixed authenticated (Contributor+) arbitrary file upload to remote code execution via template import vulnerability in the plugin, which they described this way: [Read more]

4 Dec 2023

WordPress Download Manager Plugin Exposed Passwords, Still Is Storing Plaintext Passwords

Developers of WordPress plugins are not always open about fixing security issues in their plugins. That seems to be the case with the latest release of the 100,000+ install Download Manager plugin. The changelog for that hints that there might have been a security issue fixed, as it reads “fixed an issue with the password validation for password-protected files.” As at least one of our customers is using the plugin, we checked over that to see if there was something we should be warning about and, if so, to make sure it was fixed. We found that a security issue was addressed, though, there is another underlying issue that still hasn’t been addressed.

In the plugin’s file /src/Package/PackageLocks.php, a single line of code was removed in the new version: [Read more]

30 Nov 2023

Privilege Escalation Vulnerability in Super Progressive Web Apps

The changelog for the latest version of the WordPress plugin Super Progressive Web Apps suggests a vulnerability might have been fixed, as one of the entries says in part “Fixed Broken Access Control vulnerability”. Looking at the changes made in that version, we found that a minor issue was addressed. Previously, anyone could access functionality to sign up for a newsletter or hide a form for the newsletter.

[Read more]

22 Nov 2023

300,000+ Install Widgets for Google Reviews WordPress Plugin Doesn’t Contain a High Risk Arbitrary File Upload Vulnerability

One of the ways we keep track of possible vulnerabilities in WordPress plugins is to monitor the WordPress Support Forum for discussions related to those. Today, there was a concerning claim of a high risk vulnerability in a plugin that is used by at least one of our customers, as well aa 300,000+ websites, Widgets for Google Reviews. Another user of the plugin was claiming that it contained a “high risk vulnerability as it allows the upload of backdoors”. They also said this was an arbitrary file upload vulnerability. They were not the original source for the claim, instead, it was Patchstack.

Patchstack’s own claims were similar. They, for example, wrote that the claimed vulnerability would “allow a malicious actor to upload any type of file to your website”. It’s only if you click a button labeled “Show technical details” that they bothered to mention a critical detail. The attacker, they say, would need to have the WordPress Editor role or above to exploit this. [Read more]