15 Aug

Authenticated User Deletion Vulnerability in Keypic

One common cause of vulnerabilities being discovered in WordPress plugins these day is functions made accessible through WordPress’ AJAX functionality that fail to check if the user making the request should accessing them. Since anyone who is logged in can make a request to them by default, if there isn’t any check done to insure only [Read more]

05 Jul

Authenticated Information Disclosure Vulnerability in Log Emails

Recently we took a quick look over plugins that log emails sent through WordPress. Those emails have the potential to contain sensitive information, so the security of them is important. In two cases we found that the plugin allowed any logged in user to view emails logged by the plugin. In the case of the Log [Read more]