19 Jul

Closures of Very Popular WordPress Plugins, Week of July 19

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and one of those has not been reopened. [Read more]

17 Jul

Vulnerability Details: Cross-Site Request Forgery (CSRF)/SQL Injection in Advanced CF7 DB (Advanced Contact form 7 DB)

This post provides the details of a vulnerability in the WordPress plugin Advanced Contact form 7 DB not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

14 Sep

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Advanced Contact form 7 DB

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found was introduced in the most recent version of the plugin Advanced Contact form 7 DB.

The vulnerability could allow an attacker that had access to a WordPress account to upload arbitrary files to the website and by uploading a malicious PHP file they can take just about any action on the website. It also could allow an attacker that could get a user logged in to visit a URL the attacker controls, to exploit the vulnerability as well. [Read more]

01 Sep

What Happened With WordPress Plugin Vulnerabilities in August 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during August (and what you have been missing out on if you haven’t signed up yet): [Read more]

24 Aug

Authenticated Information Disclosure Vulnerability in Advanced Contact form 7 DB

One of the strengths of WordPress is the multitude of plugins available, if you need some functionality you are likely to find a plugin that provides it. There are downsides as well. With over 51,000 plugins in the Plugin Directory it isn’t surprising to find new plugins that duplicate functionality already provided by another plugin. One of the downsides of that is that we have seen a fair amount of situations where a vulnerability has been fixed in a plugin and then another similar plugin comes along that has that same vulnerability. In the case of a vulnerability we found in the plugin Advanced Contact form 7 DB, we found the same vulnerability we had found in a couple of other similar plugins. The vulnerabilities in the other plugin still haven’t been fixed, while this one has now been fixed, though you wouldn’t know that there was a security fix in the version that fixed it if you relied on the plugin’s changelog.

The plugin entered our radar when a piece of its code showed got flagged as part of our proactive monitoring for serious vulnerabilities in WordPress plugins. The code in question turned out to not be vulnerable, but based on the vulnerabilities we had found in similar plugins, which allowed people that shouldn’t be able to view the contents of contact form submissions, we checked to see if it was also an issue with this plugin and it turned out to be the case. [Read more]