11 Jun

WooCommerce Multivendor Membership WordPress Plugin Contains Persistent XSS Vulnerability

Two days ago we discussed that after seeing what look to be a hacker probing for the WordPress plugin WooCommerce Frontend Manager (WCFM), we found that the plugin contained, among other security issues, an authenticated persistent cross-site scripting (XSS) vulnerability. That is more a of concern than it usually is since the plugin works with WooCommerce, which by default allows untrusted to create WordPress accounts, so hackers would have an easier time exploiting that than they would for the average plugin. In looking at the developer’s other plugins we found that one of them, WooCommerce Multivendor Membership, is even more insecure, as the same type of vulnerability can be exploited without having to even be logged in to WordPress.

(Despite WooCommerce Frontend Manager (WCFM) likely being targeted by a hacker and containing an unfixed vulnerability they would exploit, WordPress is still distributing the plugin two days later.) [Read more]

10 Jun

Recently Closed WordPress Plugin with 30,000+ Installs Contains Persistent XSS Vulnerability

The plugin SEO Redirection was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should warn users of the plugin that also use our service, we found it contained multiple security issues, what looked to be the most serious issue that we found in just a quick check is a persistent cross-site scripting (XSS) vulnerability. That is something that hackers might be interested in exploiting.

We would recommend not using the plugin until it has had its security thoroughly reviewed, and the issues identified, fixed, due to how insecure we found it to be. [Read more]

09 Jun

A Hacker Looks to be Probing for WooCommerce Frontend Manager (WCFM), This Vulnerability Could be Their Target

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website today for the plugin WooCommerce Frontend Manager (WCFM) by requesting this file:

  • /wp-content/plugins/wc-frontend-manager/readme.txt

We are not aware of any publicly disclosed vulnerabilities that might explain this. In doing our standard checks when we see what looks to be a hacker probing for usage of a plugin, we found that low-level users have access to AJAX functions only intended for users managing the website. That is a more significant issue than with the average plugin, since the plugin is designed to work with WooCommerce plugins by default, WordPress websites running WooCommerce allow untrusted individuals to create WordPress accounts. [Read more]

07 Jun

Poor Handling of Security in WordPress Plugin Directory Also Impacts ClassicPress Directory

On Friday we noted that we had started doing proactive monitoring of the plugin’s in the WordPress fork ClassicPress’ plugin directory for serious security issues and had also had run the ClassicPress plugins available in that through our Plugin Security Checker, which flags the possibility of additional less serious issues. We found a couple of plugins with minor security issues through that, including one with a vulnerability. That vulnerability was promptly fixed. Also, on Friday we ran the six plugins from the WordPress Plugin Directory also included in ClassicPress’ directory through the same tool. We found two of them had a really easy to spot minor vulnerability.

This is the kind of thing that the WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of. We have repeatedly offered to help them implement this type of thing, but, like other attempts help them to improve their poor handling of security, have shown no interest. [Read more]

04 Jun

Our First Check of the Security of ClassicPress Plugins Found a Minor Vulnerability

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now brought similar monitoring to the Plugin Directory for the WordPress fork ClassicPress. That directory includes both plugins developed for ClassicPress and some plugins directly from the WordPress Plugin Directory.

The structure of ClassicPress’ directory is different, so instead of checking over the changes being made as we can do with WordPress, we check over all the plugins we can download at regular intervals. At this point we can not process them all in an automated way because of a couple of issues with easily getting access to the download links (those might be in the process of being resolved), but we were able to check a significant number of them earlier this week and none of them had any code that was flagged. [Read more]

03 Jun

A Hacker Looks to be Probing for Product Feed PRO for WooCommerce, This Vulnerability Could be Their Target

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website yesterday for the plugin Product Feed PRO for WooCommerce by requesting these files:

/wp-content/plugins/woo-product-feed-pro/css/woosea_admin.css
/wp-content/plugins/woo-product-feed-pro/js/woosea_add_cart.js
/wp-content/plugins/woo-product-feed-pro/readme.txt [Read more]

28 May

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in Content Mask

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated option update vulnerability in the plugin Content Mask, which can also be exploited through cross-site request forgery (CSRF).

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool [Read more]

26 May

A Hacker Looks to be Probing for Modern Event Calendar Lite, This Vulnerability Could be Their Target

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using, we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website today for the plugin Modern Events Calendar Lite by requesting these files:

/wp-content/plugins/modern-events-calendar-lite/assets/css/mecrtl.css
/wp-content/plugins/modern-events-calendar-lite/readme.txt
/wp-content/plugins/modern-events-calendar-lite/assets/js/events.js [Read more]