31 Jan

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin with 300,000+ Installs

With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we use software to flag potentially issues (you can check plugins in the same way using our Plugin Security Checker) and then we manually to check over the code. The second part of that can take a substantial amount of time, as while sometimes the code that runs before the potentially vulnerable code is limited and tightly woven, often it isn’t. That was the case with the code that leads to an authenticated arbitrary file upload vulnerability we found had being introduced in the plugin Meta Box, which has 300,000+ installs according to wordpress.org.

[Read more]

30 Jan

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Events Made Easy

Yesterday we disclosed an arbitrary file upload related vulnerability discovered through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities for which the underlying vulnerable code ran despite the user interface for it being disabled. That turns out to not be a one-off issue as our proactive monitoring has also led to us finding an authenticated arbitrary file upload vulnerability in the plugin Events Made Easy where the user interface also appears to be missing. This is a good reminder of the limits of trying to look for vulnerabilities without looking at the underlying code of software.

[Read more]

02 Jan

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in WP Githuber MD

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a more limited variant of one of the most likely to be exploited types of vulnerabilities as it was being introduced in to a plugin. That being an authenticated arbitrary file upload vulnerability in the plugin WP Githuber MD, which in this case would provide hackers who have access to a WordPress account with at least the Author role with the ability to gain complete control of the website.

[Read more]

20 Dec

Vulnerability Details: Arbitrary File Upload In LearnPress

This Vulnerability Details post about a vulnerability in the plugin LearnPress provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

09 Oct

The WordPress Plugin Directory Team Should Spend Their Time Avoiding Issues Like This Instead of Acting Inappropriately as Forum Moderators

On day two of our doing  full disclosures of WordPress plugin vulnerabilities until the  inappropriate handling of the moderation of the WordPress Support Forum is cleaned up we disclosed a couple of easily spottable exploitable vulnerabilities that were in brand new plugins. As we noted then that shouldn’t be happening since there is supposed to be a manual security review as part of larger manual review of new plugins before they are allowed in the Plugin Directory. Either these reviews are not happening, which seems possible (for a number of reasons), or the security review is a failure at a basic level. If it is the latter we have offered to help improve the process, but we have never been taken up on that.

[Read more]

14 Sep

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Advanced Contact form 7 DB

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found was introduced in the most recent version of the plugin Advanced Contact form 7 DB.

[Read more]

18 Jul

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in MapSVG Lite

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. That sometimes leads to us catching a vulnerability of a more limited variant of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found in the plugin MapSVG Lite. This vulnerability could allow an attacker that had access to a WordPress account to upload arbitrary files to the website. It also could allow an attacker that could get a user logged in to visit a URL the attacker controls, to exploit the vulnerability as well.

[Read more]

23 Feb

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Convert Docx2post

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited version of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found in the plugin Convert Docx2post. This vulnerability could allow someone that has access to a WordPress account with the “publish_posts” capability (which would normally be any user with the Author role and above) to upload a malicious file to the website, which could they use to take additional actions on with the website. It also could allow an attacker that could get a logged in user to visit a URL the attacker controls, to upload a malicious file to the website, which the hacker could then use to take additional actions on their own with the website.

[Read more]

13 Feb

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Church Admin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That sometimes leads to us catching a vulnerability of a more limited version of one of those serious vulnerability types, which isn’t as much concern for the average website, but could be utilized in a targeted attack. That happened with the authenticated arbitrary file upload vulnerability we found in the plugin Church Admin. This vulnerability could have allowed someone that has access to a WordPress account that can access the admin area (which would normally be any user, Subscriber-level and above) to upload a malicious file to the website, which could they use to take additional actions on with the website.

[Read more]

22 Nov

Authenticated Arbitrary File Upload Vulnerability in Vmax Project Manager

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that was the plugin Vmax Project Manager. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities, due to the possibility of an arbitrary file upload vulnerability in the plugin.

[Read more]