In March, Search Engine Journal wrote a story about a “vulnerability” the very popular WordPress plugin WP Super Cache, which has 2+ million installs. The issue was described this way:
A flaw was disclosed today that exposes users of WP Super Cache to an authenticated remote code execution (RCE) vulnerability. [Read more]
One long time issue when it comes to collecting data on vulnerabilities in WordPress plugins is that many reported vulnerabilities are not really vulnerabilities. What has recently been an increasing problem though is that these false reports are coming directly from other data providers. One of those providers is Patchstack, which has something called the Patchstack Red Team. That apparently is a bug bounty program, not really a red team (or a team at all), but whatever it is, Patchstack posted a listing to their vulnerability database the other day for the plugin WP Reset that is credited to “m0ze (Patchstack Red Team)”. Looking at the details of that didn’t look promising as to that being a real vulnerability and a quick check of the code confirmed that it wasn’t.
The only details provided about the claimed authenticated stored cross-site scripting (XSS) vulnerability are these two proofs of concepts: [Read more]
When it comes to keeping WordPress websites secure, much of the advice out there, even when it comes from “reputable” security companies, isn’t accurate. We happened across a recent example of this on Reddit, where someone was asking about whether WordPress websites with up to date plugins and using the Wordfence Security plugin get hacked. They got a lot of inaccurate information in response, some of which seems worth addressing.
Their post was titled, “How many WP sites being hacked with fully up to date plugins and wordfence installs?”, and further explained their question with this: [Read more]
On May 31, 10 Web, the developer of the WordPress plugin Event Calendar WD, which has 20,000+ active installations according to wordpress.org, put out a new version of the plugin which has the changelog:
Fixed: XSS vulnerability. [Read more]
On Friday we noted that we had started doing proactive monitoring of the plugin’s in the WordPress fork ClassicPress’ plugin directory for serious security issues and had also had run the ClassicPress plugins available in that through our Plugin Security Checker, which flags the possibility of additional less serious issues. We found a couple of plugins with minor security issues through that, including one with a vulnerability. That vulnerability was promptly fixed. Also, on Friday we ran the six plugins from the WordPress Plugin Directory also included in ClassicPress’ directory through the same tool. We found two of them had a really easy to spot minor vulnerability.
This is the kind of thing that the WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of. We have repeatedly offered to help them implement this type of thing, but, like other attempts help them to improve their poor handling of security, they have shown no interest. [Read more]
On May 26, new versions of the popular Drupal software were released to fix a “moderately critical” cross-site scripting (XSS) vulnerability caused by an “error in parsing HTML” in the “third-party CKEditor library”. They further stated that “CKEditor 4.16.1 and later include the fix”.
The release notes for CKEditor 4.16.1, which was released on May 20, though make no mention of any security fix: [Read more]
Last week one of the most popular WordPress plugins, WP User Avatar, was repurposed to become ProfilePress. Here is how Justin Tadlock at the WordPress Tavern, described the change in the plugin:
Instead of a simple, single-purpose custom avatar solution, it is a full-fledged user registration, profile, login, and membership management plugin. [Read more]
While the security industry doesn’t currently have a well-functioning market, so you don’t have companies actually competing to provide better services (instead companies largely compete on who can tell the best lies, which produces the expected poor results), we actually continue to look at how we are doing versus other sources, so we can provide our customers the best services possible. We recently ran across the Security Ninja plugin promoting that it will check for WordPress plugin vulnerabilities and wanted to see how things stacked up.
According to them the get their data from National Vulnerability Database – NVD: [Read more]
Recently if you were relying on other sources for information on vulnerabilities in WordPress plugins you use you would have seen it claimed that Envira Gallery Lite recently contained a vulnerability that was fixed in version 1.7.7.
Here is that on the CVE : [Read more]
When it comes to security issues with WordPress plugins, the team running the WordPress Plugin Directory continues to make matters worse. One area we have seen that occurring for some time (and that we have been criticized for taking action to protect our customers from) is with the closure of popular plugins with security issues. That occurred again recently with Brizy, which has 60,000+ installs. The WPScan Vulnerability Database belated warned about a vulnerability in the plugin yesterday with this timeline (we had warned any of the customers of our service that were impacted last month):
February 10th, 2020 – Report received & WP Plugins Team notified.
February 12th, 2020 – WP Plugin Team Investigating
February 12th, 2020 – v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 – Seeing probes checking for the issue
March 4th, 2020 – Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 – Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 – Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable [Read more]