15 Apr

Our Proactive Monitoring Caught an Authenticated Arbitrary File Viewing Vulnerability Being Introduced in to Apply Online

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is theĀ proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file viewing vulnerability being introduced in to the plugin Apply Online.

[Read more]

29 Mar

Vulnerability Details: Authenticated Arbitrary File Viewing in Loco Translate

This post provides the details of a vulnerability in the WordPress plugin Loco Translate not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

27 Mar

Full Disclosure of Authenticated Arbitrary File Viewing Vulnerability in Child Themes Helper

In our previous post we detailed an authenticated arbitrary file upload that our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Child Themes Helper. It looks like there is quite a bit of inadequately secured code in the plugin, but one other issue that stood out is an authenticated arbitrary file viewing vulnerability.

[Read more]

14 Jan

Vulnerability Details: Authenticated Arbitrary File Viewing in Health Check & Troubleshooting

This post provides the details of a vulnerability in the WordPress plugin Health Check & Troubleshooting not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

10 Sep

Vulnerability Details: Authenticated Arbitrary File Viewing Vulnerability in Contact Form 7

This post provides the details of a vulnerability in the WordPress plugin Contact Form 7 not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

23 Oct

Authenticated Arbitrary File Viewing Vulnerability in Awesome Support

There is what seems like a nearly endless supply of advice on security for WordPress websites. A lot of it comes from people that shouldn’t be providing it (that includes much of what comes from security companies). We recently wrote a post about some bad security advice coming from the company behind theĀ Awesome Support plugin on choosing plugins and we were curious to see how secure their plugin was. It took only seconds to find that plugin was failing to do some security basics, which lead to a couple of serious issues (we didn’t do anywhere near a full review, so there may be other issues).

[Read more]

10 Jul

Vulnerability Details: Authenticated Arbitrary File Viewing Vulnerability in Shortcodes Ultimate

This post provides the details of a vulnerability in the WordPress plugin Shortcodes Ultimate not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]