As part of starting a security review of the WordPress plugin Eventin after it was chosen by our customers to receive a review, we ran the plugin through our Plugin Security Checker. That identified the possibility of a server-side request forgery (SSRF) issue in the plugin:
Today, we had a hacker try to exploit a vulnerability recently fixed in the WordPress plugin WP Compress on our website. In looking into that, we found another instance where it looks like hackers are relying on information coming from WordPress security providers to determine what vulnerabilities to target.
In the logging for our own firewall plugin, it showed an attack blocked for this URL, /wp-content/plugins/wp-compress-image-optimizer/fixCss.php?css=wp-content/../wp-config.php: [Read more]
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an arbitrary file viewing vulnerability being added to the plugin WPYog Documents.
We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]
While reviewing hacking attempts against our website, we saw what looked to be an attempt to exploit an arbitrary file viewing vulnerability in the plugin Mac Doc Photogallery like this:
…
Two days ago the developer of the iThemes Security plugin, which is one of the most popular WordPress security plugins, disclosed that another of their plugins, BackupBuddy, had a zero-day vulnerability. A zero-day vulnerability is one that is being exploited before the developer is aware of it. That seems like a big story, but when the vulnerability was covered by the WP Tavern, there was no mention of iThemes Security or question raised about what that says about the state of WordPress security plugins.
iThemes’ post also makes this strange claim: [Read more]
The security of plugins that extend the WordPress ecommerce plugin WooCommerce is often poor, something that the developer of WooCommerce, Automattic, hasn’t taken an interest in addressing. Another part of Automattic claims to provide some protection against that, but isn’t delivering that. Automattic’s WPScan is promoted with this claim:
Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes. [Read more]
Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:
After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]
With an arbitrary file viewing vulnerability in the plugin True Ranker credited to p7e4, Wordfence described it this way:
…
One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That has led to us catching a vulnerability of a type that hackers are likely to exploit if they know about it being introduced in to a plugin. That vulnerability being an arbitrary file viewing vulnerability, which hackers frequently try to exploit to gain access to the database credentials for WordPress websites, in the plugin Law Practice Management Software.
The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool also flags many other instances of insecure code in the plugin, which is rather concerning as the plugin is intended to be used by lawyers. [Read more]
