A recent version of the WordPress plugin Download Monitor had a changelog that indicated that a security vulnerability might have been fixed, “Fix: Security fix”. Looking at the changes made seemed to show that the developer might have been improperly fixing a vulnerability and further checking confirmed that was the case.
…
Recently 21 WordPress plugins from the developer YITH have been updated with a vague changelog entry that they “patched security vulnerability”. The security vulnerability patched allowed anyone logged in to WordPress to view the contents of two log files if they existed on websites. One of those could contain sensitive information, as it would contain information logged for PHP errors. If the functionality had previously been used, then other users could access them as well. The latter issue hasn’t been resolved.
Among the plugins affected are the 900,000+ install YITH WooCommerce Wishlist, 200,000+ install YITH WooCommerce Compare, and two plugins with 100,000+ installs, YITH WooCommerce Ajax Product Filter and YITH WooCommerce Quick View. [Read more]
Recently it was claimed that the WordPress plugin RD Station had led to a website’s database being replaced:
when are you going to fix the problem, a couple of weeks ago a site was attacked by this vulnerability, the entire database was replaced, we contacted you and this was the response [Read more]
As detailed in a separate post, earlier this year it was disclosed the WordPress plugin Co-Authors Plus had contained a vulnerability that disclosed email addresses through a REST API route. That is still possible through another REST API route.
In the file /php/class-coauthors-endpoint.php, a REST API route to search for coauthors is registered: [Read more]
One of the more troubling aspects of the poor security of WordPress plugins is that so many companies are both handling the security of their plugins rather poorly and trying to profit from the insecurity that they are helping to create. We discussed one example of that a year ago, involving plugin developer 10Web’s poor handling of the security of their plugins, while selling a security service and partnering with another company that is trying to profit off the insecurity, Patchstack. That post dealt in part with 10Web’s failed attempt to a fix a vulnerability in the Event Calendar WD (EventCalendar) plugin and the subsequent failure to get that resolved after we let them know it hadn’t been fixed. While the partnership with Patchstack was supposed to improve the security of the WordPress ecosystem, it didn’t even lead to 10Web’s plugins being properly secured.
On Monday, Event Calendar WD was closed on WordPress Plugin Directory. Unhelpful for those using it, no explanation was provided on why it was closed (as is the case with all plugin closures there). As at least one of our customers is using the plugin, we took a look to see if there might be a serious vulnerability that could have led to the closure, which we should be warning them about. We didn’t find such a vulnerability. But just in the limited checking we did for that, we found various security issues with the plugin. We confirmed there is at least one vulnerability and there are likely others. [Read more]
There is a WordPress plugin named Passwords Manager that can store passwords in WordPress:
Password Manager wordpress plugin let you to store different passwords at one place. Passwords are stored in WordPress database in encrypted form so no one can see them. Passwords can also be categorized if you have multiple passwords. This plugin uses advanced encryption standard AES – 128 and you can define your encryption key at the time of installation of plugin. [Read more]
The JVN has credited Keitaro Yamazaki of Ierae Security, Inc with discovery of a couple of vulnerabilities in the WordPress plugin Advanced Custom Fields that were described this way:
…
One of the changelog entries for the latest version of the WordPress plugin Total Upkeep is:
…
One of the changelog entries for the latest version of the WordPress plugin BackUpWordPress is:
…
The WordPress plugin WP Post Page Clone was closed on November 18 and yesterday a new version was submitted with a changelog entry that reads:
…