Login

Is the firewall on your WordPress site providing effective protection? Our new tool will tell you.

Tag Archives: Authenticated Persistent Cross-Site Scripting (XSS)

9 Jan 2024

Five Years In, Wordfence Security Still Doesn’t Provide Protection When Using WordPress Block Editor

In December 2018, WordPress 5.0 was released, which introduced a new default editor, the blocks editor (also known as Gutenberg). You would think that the developer of the most popular security only plugin, Wordfence Security, would have quickly made sure that they offered protection when using that, but that turned out not to be the case. In a test we did in September 2021, we found that wasn’t the case. It was also an issue at the time, with the best free option for protection, NinjaFirewall. And was also the case with our then in-development, Plugin Vulnerabilities Firewall. A recently fixed vulnerability in a popular plugin, Spectra, led to us revisiting this and finding that things haven’t changed for Wordfence Security, but have for the other two plugins.

On Sunday, a new firewall rule was added to the free data for the Wordfence Security plugin. Here is that rule: [Read more]

14 Dec 2023

Brainstorm Force Removed Security Code and Reintroduced Vulnerability in 1+ Million Install WordPress Plugin

It’s commonly claimed that it helps to determine if a WordPress plugin is secure by looking at the install count and looking if the developer is well known. We have yet to see anyone making that claim present any evidence of a correlation between them. We have seen plenty of instances where major WordPress plugin developers have problems handling security with popular plugins. Take Brainstorm Force. They were recently covered by the WP Tavern, while claiming to have made a six-figure investment in a plugin. So they clearly have the money to handle security properly, but they don’t.

The latest incident with Brainstorm Force involves a vulnerability in a 1+ million install plugin that went unnoticed by them (and others for that matter) for nearly four years, which they fixed without realizing it, it would seem, and then they reintroduced it today. [Read more]

21 Feb 2023

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in WP Visitor Statistics

As is often the case, Automattic’s WPScan recently claimed that a vulnerability in a WordPress plugin had been fixed when it hadn’t. This time it involved the plugin WP Visitor Statistics and an authenticated persistent cross-site scripting (XSS) vulnerability. It is hard to understand how they got that wrong in this instance.

[Read more]

4 Feb 2023

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Fluent Forms

After version 4.3.24 of the WordPress plugin Fluent Forms was released, the developer made an additional change to that version with no description of the change. That change was flagged by our machine learning system, which tries to catch security fixes being made without it being disclosed.

[Read more]

30 Jan 2023

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Greenshift

Recently Automattic’s WPScan claimed that an authenticated persistent cross-site scripting (XSS) vulnerability had been fixed in the plugin Greenshift. As is often the case, their information is incorrect. While there is a vulnerability, in reviewing the changes that were supposed to address this, we found the fix was incomplete.

[Read more]