The plugin MapSVG Lite got flagged by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and when went to look into what was identified by that we found that the plugin was closed on the WordPress Plugin Directory yesterday. That appears to have happened due to a security issue, but a different one than our monitoring picked.
…
As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we had what looks to be a hacker probing for usage of the plugin Excel Like Price Change for WooCommerce and WP E-commerce (Excel-Like Price Changer for WooCommerce and WP E-commerce) on our website.
As we started looking into what might be causing that we quickly found that the plugin is quite insecure. There are smaller issues like the plugin’s admin pages being limited to users with the “edit_pages” capability instead of “manage_woocommerce”, so Editor level users can access to WooCommerce related data and functionality they are not intended to. What we ran across first though is a much larger issues was that a lot of the plugin’s functionality is accessible those not even logged in to WordPress and that creates various vulnerabilities, we have detailed a couple of obvious ones below that hacker might in the process of exploiting and there look to be more. [Read more]
One of the changelog entries for the latest version of Caldera Forms is “SECURITY: Patch for issue affecting CF Pro API. Does not affect most users, see post for detailssee post for details.” On the linked page it is stated:
…
Earlier today we noted in detailing an arbitrary file viewing vulnerability that had been fixed in a WordPress plugin that in looking at the code from that we made improvement to our detection of that type of vulnerability in our proactive monitoring of changes being made to plugins to try to catch serious vulnerabilities when they are introduced in to plugin and our Plugin Security Checker. It didn’t even take a day before that improvement allowed us to spot an arbitrary file viewing vulnerability in the plugin WebP Express through that proactive monitoring. That type of vulnerability is likely to be exploited, though usually doesn’t cause website to be hacked.
This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]
In a nasty reminder of why it is a good idea for plugin developers to pair to only the files they need from third party libraries, our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins spotted a possible security issue in code being removed from the plugin Woocommerce Pay.nl Payment Methods and what we found was that for 22 months the plugin had several serious security issues due to a test file from the library PHP Curl Class. One of those being the ability to view arbitrary files on the website. We are in the process of contacting the developer of the library about this.
…
One of the things that you get when using our data on vulnerabilities in WordPress plugins either through our long time service or our new newsletters instead of trying to do things on your own or using lower quality data sources, is that we actually check over the reports and provide an accurate information on them. For a fair amount of reports the original discloser has provided inaccurate information about the vulnerability (or there isn’t even a vulnerability).
One area we see a lot of confusion, whether it be with members of the security community or hackers is with arbitrary file viewing and local file inclusion (LFI) vulnerabilities. A recent example where things got quite mixed up and where other data sources would have lead you astray involved two vulnerabilities disclosed by Manuel Garcia Cardenas a couple of weeks ago. [Read more]
One the things we find rather telling about the security industry is that they seem to find various statistics valuable, but ones they seem to be totally uninterested in are any that would actually show that their products and services are actually effective at protecting websites (despite that seeming like it should be a prerequisite before using so many of them). One type of statistic that we have seen them focus on instead is supposed measures of how many attacks the average website is facing. Earlier this year one company promoting their service with such a statistic, seemed to make a case that they are not really valuable, as they promoted the increase in attacks as being a concern and then when it when it went down they claimed that was also a bad sign:
“A decrease in attacks does not mean that websites are safer. In fact, it may even be the opposite,” says Neill Feather, president of SiteLock. “Hackers are constantly trying new avenues and even leveraging older tactics that continue to be successful. As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks. Now more than ever, businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur.” [Read more]
From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
…
Recently in our monitoring of the WordPress Support Forum we ran across a thread about claiming a vulnerability being exploited in a plugin Candidate Application. The vulnerability being referred to there was actually in another plugin. The slug of the plugin being discussed is wp-candidate-application-form and the vulnerability was for a plugin with the slug candidate-application-form. The vulnerability mentioned in thread was disclosed in July of 2015. The author of both of the plugins is the same and it looks like after the first plugin was removed they simply moved to the new one. That seems like something that the Plugin Directory should have noticed at the time the second one was submitted for the Plugin Directory.
Looking at the code of the new plugin we found that it has the same type of vulnerability as the first one, though the code has been changed. [Read more]
Back in August through our proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins we found that the plugin WP Post Popup contained an arbitrary file viewing vulnerability. That was subsequently fixed. Through that same monitoring we found that the vulnerability had returned to the plugin.
The only difference from last time is that file the vulnerability was now in is named /public/partials/wp-post-modal-public-proxy.php. [Read more]