5 Dec 2018

Our Improved Proactive Monitoring Already Caught Another Option Update Related Vulnerability in a WordPress Plugin

Yesterday we noted that our newly improved proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues, had already caught a fairly serious vulnerability, one that could leave a website fully disabled. That vulnerability was yet another vulnerability due to insecure usage of the update_option() function that we have found in the wake of one of those being widely exploited. Today that monitoring caught a more serious vulnerability related to that function, since this vulnerability could be use to take full control of websites and while it requires the attacker to logged in to WordPress, the plugin in question, ARMember Lite, is a membership plugin, so it would be on websites that would probably allow for user registration.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it would already have notified you of this possible issue. It is flagging a huge amount of other possible security issues in the plugin, so anyone using it that is concerned about security would be best to make sure someone that has the proper skill sets further reviews the plugin and checks if there are other security issues that need to be fixed in the plugin. Paying customers of our service can suggest/vote for plugins to receive a security review from us. We also offer security reviews of a plugin separately from our service. [Read more]