Login

Vulnerability Insights

20 Nov 2023

Latest Version of 2+ Million Install MC4WP: Mailchimp for WordPress Fixes Minor Security Issue

Today an update was released for the 2+ million active installation WordPress plugin MC4WP: Mailchimp for WordPress, which suggests that a security change had been made, as it reads “Forms: Don’t show form preview to users without edit_posts capability.”. As at least one of our customers is using the plugin, we checked in on that and found that there was a minor security issue addressed.

As suggested by the changelog, the update did add a check to restrict access to seeing a preview of a form from the plugin to those with the edit_posts capability. Prior to that, anyone could see the preview, including those not logged in to WordPress. Unless there is information included in a form that isn’t meant to be seen by everyone, there wouldn’t be a security risk in that. [Read more]

17 Nov 2023

Wordfence’s Plugin Vulnerability Data Copied From Competitors Continues to Not Be Impeccable

Recently the CEO of Wordfence, Mark Maunder, made this very strong claim about the quality of their (and to a lesser degree, competitor’s) data on vulnerabilities in WordPress plugins:

Our data is impeccable. Our competitors do a pretty darn good job too. [Read more]

16 Nov 2023

1+ Million Install WordPress Plugin Duplicator Hardening Update Actually Fixes CSRF Vulnerability

One step that WordPress could do to make it easier to see if updates to WordPress plugins are supposed to have fixed security issues would be to require developers to include their changelog in the plugin’s listing on the WordPress Plugin Directory. Right now that isn’t the case, so you have plugins, including the 1+ million install plugin Duplicator, which require you go elsewhere to check it. That also makes it harder to flag possible security updates in an automated fashion. As at least one of our customers uses that plugin, a monitoring system we have checks to see if the changelog has been updated. Today that alerted us to an update, which has this changelog: “[FIX] Implemented hardening for the plugin recommended by Dmitrii Ignatyev from Cleantalk”. Checking on the changes, we found that isn’t exactly an accurate description. As the hardening, as they put it, fixed a cross-site request forgery (CSRF) vulnerability.

That lack of clarity brings up another improvement that WordPress could make. A clear requirement as to how developers should disclose in the changelog that security issues being fixed in their plugins. It isn’t uncommon to find developers not disclosing security fixes at all or doing so in a way that you wouldn’t realize it was a security fix, as was twice the case with the same vulnerability in WooCommerce. [Read more]

15 Nov 2023

WooCommerce Extending Plugins Might Not Actually Be Written With All WordPress Security Standards in Mind

Recently the developer of a WordPress plugin that extends WooCommerce responded to a claim that there plugin contained a vulnerability by stating that the plugin has “no known vulnerabilities and is written with all wordpress security standards in mind taking precaution to avoid such an issue.” Can you trust that sort of claim? In our years of experience, no. Plugin developers often make strong claims about their handling of security that turn out not to be true. That turned out to not be true with this plugin, WooCommerce Product Table Lite, as well. For those looking to make sure plugins they use are actually secure, they should look for plugins that has had an independent security review done or get ones done for plugins.

Like another plugin we discussed this week, where the developer had missed a vulnerability despite claiming to have done multiple audits, this situation involved a vague claim from a security provider named Patchstack that the plugin contained a cross-site request forgery (CSRF) vulnerability. This plugin also contained such an issue that wasn’t hard to find and involved a failure to implement basic security. After finding it, we contacted the developer. We let them know what appeared to be at issue, linked to the relevant WordPress documentation to address it, and offered to help them with that issue. They have now addressed the vulnerability. [Read more]

14 Nov 2023

Changes WordPress Plugin Developers and Patchstack Can Take to Better Handle Vulnerabilities

Part of how we keep track of vulnerabilities in WordPress plugins is by monitoring the WordPress support forum for relevant topics. What we are seeing a lot these days are developers who are trying to deal with rather unclear claims of vulnerabilities in their plugins. Two weeks ago, we helped a developer to get an issue in their plugin addressed after another provider, Patchstack, as usual, was rather unhelpful. There are lessons for plugin developers and Patchstack. We don’t have much hope for Patchstack addressing the issues, since they are already long running and well known, but developers have a chance to pretty easily improve their handling of the security of their plugins.

Patchstack inaccurately claimed that the plugin Simple SEO contained a cross-site request forgery (CSRF) vulnerability. While that was part of the issue, the vulnerability was more serious than that, though not a serious vulnerability. Here is the information they provided on that: [Read more]

14 Nov 2023

Using Our Plugin Security Checker to Find a Reflected XSS Vulnerability Patchstack Claimed Was in a Plugin

We have been seeing a reoccurring issue recently where WordPress plugin developers are having users of the plugins being asked if they are going to fix vulnerabilities that a WordPress security,Patchstack, has claimed are in their plugins. The developers are responding, accurately, that Patchstack hasn’t provided any details on what the issue is supposed to be. That obviously makes it difficult to address things if there really is a vulnerability, or to otherwise refute the claim. A recent instance of that involved a claim of a reflected cross-site (XSS) in the plugin WP Bannerize Pro.

Here are the “details” Patchstack provided: [Read more]

13 Nov 2023

Exploited Vulnerability in WordPress Plugin Shows Importance of Robust Firewall Protection

Over the weekend, we had an attacker try to exploit a local file inclusion (LFI) vulnerability that was recently fixed in the WordPress plugin Blog Designer Pack on our website. We are not running the plugin, so we were not risk. But our own firewall plugin still blocked the exploit attempts through its protection against directory traversal:

[Read more]

10 Nov 2023

Developer of WP Fastest Cache Obliquely Discloses SQL Injection Vulnerability, Fix Isn’t Generally Available

Yesterday, the developer of the 1+ million install WordPress plugin WP Fastest Cache committed a change to the plugin in the Subversion repository underlying the WordPress Plugin Directory that fixed a SQL injection vulnerability. Unfortunately, they haven’t released a new version of the plugin that makes the fix available to the public. If hackers haven’t already realized what is at issue, it shouldn’t take them long.

The commit message for the update was “Security Enhancements”, which suggests a vulnerability could have been fixed. Our machine learning (artificial intelligence (AI)) based system for catching fix vulnerabilities being fixed in updates to WordPress plugins flagged the change as fixing a vulnerability. Could hackers have a similar system? Who knows, but it isn’t too complicated to create what we have, so we wouldn’t want to be they don’t. [Read more]

31 Oct 2023

Authenticated Local File Inclusion (LFI) Vulnerability in NextGEN Gallery

WPScan recently claimed there had been an admin+ local file inclusion vulnerability in the WordPress plugin NextGEN Gallery. That wouldn’t be a vulnerability, as Administrators can already do the equivalent of that. The proof of concept suggested that if there really was vulnerability, it wasn’t only accessible to Administrators. One of the steps suggests that anyone with the ability to create posts or pages could exploit this:

[Read more]