07 Jan

Our Plugin Security Checker Could Have Warned You About the Possibility of Vulnerabilities in a Couple of WordPress Plugins with 80,000 Installs

On Friday we noted in our post detailing a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Ninja Forms, which has 1+ million active installations according to wordpress.org, that our Plugin Security Checker,  which is a tool that allows anyone to see if there are possible security issues in WordPress plugins that could use further investigation, had been updated to better catch that type of issues like that based on variations that existed in that plugin’s code from how things are normally done.

[Read more]

20 Nov

We Caught a PHP Object Injection Vulnerability in a WordPress Plugin with 70,000+ Installs Before It Could Possibly Be Exploited

Earlier today we noted that a security company claimed to have sat on a PHP object injection vulnerability in a WordPress plugin for nearly six months and only disclosed they knew about it until after it others had noticed and possibly after it had been exploited. Completely coincidentally during our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we have spotted the same kind of serious vulnerability being introduced today in to a plugin with 70,000+ active installations, Anti-Spam by CleanTalk, before anyone is using it, as the change that introduces it has not yet been applied to the version that people install.

[Read more]