12 Mar

Brand New WordPress Plugin by “Automattic” Includes Authenticated PHP Object Injection Vulnerability

As we have mentioned repeatedly in the past, while brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory, that either isn’t happening or it isn’t very good, as we keep finding brand new plugins that contain vulnerabilities that the possibility of is flagged by our Plugin Security Checker, an automated tool for checking for the possibilities of some security issues in WordPress plugins. We have offered the team the running the Plugin Directory free access to the more advanced mode of that tool to assist them in avoiding that happening (or help in creating similar functionality in their own workflow), but we have had no interest from them. They unfortunately seem more interested in covering up the problems they are having (and in some cases causing) instead of working with others like us to get them fixed.

[Read more]

28 Nov

It Would Be a Good Idea for WordPress Plugin Developers to Check Their Plugins with Our Plugin Security Checker

Yesterday we noted that the developer of the WordPress security plugin Security Ninja plugin isn’t doing a great job with the security of their plugins. In the latest example, they could have spotted an issue before we are publicly disclosing it by simply checking the plugin with our Plugin Security Checker, which identifies possible security issues in WordPress plugins. While looking into the details of another instance of them fixing a vulnerability we had identified in one of their plugins while working on an improvement to the Plugin Security Checker, this time with the plugin Nifty Coming Soon & Maintenance page we ran the plugin through our tool and saw that it got flagged for possibly including a vulnerable version of the plugin Option Tree:

[Read more]

14 Nov

Full Disclosure of CSRF/PHP Object Injection Vulnerability in WordPress Theme with 70,000+ Installs

With our service we cover WordPress plugins (as you might guess from our name), but not WordPress themes. There are a number of reasons for that, including the dearth of vulnerabilities being disclosed in themes, which seems to be related to the limited amount of potentially vulnerable code in them despite it being possible for them to contain all the same types of issues as plugins. We got a reminder of that when we did a check over some of the most popular themes available in the WordPress Theme Directory against the checks we do of changes being made to plugins as part of our proactive monitoring to try to catch serious vulnerabilities before they are exploited and a few other checks. The proactive monitoring checks didn’t pull up anything, but one of the other checks brought up the fact that the theme Hueman , which has 70,000+ active installs according to wordpress.org, contains the plugin OptionTree.

[Read more]

13 Nov

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Portfolio X

This Vulnerability Details post about a vulnerability in the plugin Portfolio X provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

13 Nov

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Security Plugin with 70,000+ Installs

Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did some checks over the 1,000 most popular WordPress plugins to get a better idea of usage of code of similar code there might be out there. That led to us finding an authenticated PHP object injection vulnerability in the security plugin WP Security Audit Log, which has 70,000+ active installations according to wordpress.org.

[Read more]

12 Nov

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Infographic Maker iList

This Vulnerability Details post about a vulnerability in the plugin Infographic Maker iList provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

12 Nov

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Slider Hero

This Vulnerability Details post about a vulnerability in the plugin Slider Hero provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

09 Nov

Authenticated PHP Object Injection Vulnerability in Simple Link Directory

On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.

[Read more]

09 Nov

Authenticated PHP Object Injection Vulnerability in Simple Business Directory with Maps

On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.

[Read more]

06 Nov

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Plugin with 100,000+ Installs

The WordPress plugin plugin OptionTree recently came on to our radar through our monitoring of indications that changes made to plugins have fixed security issues, as it was included in another plugin and this plugin’s last changelog indicated a security issue had been fixed in the latest version (the relevant vulnerability was already had in our data set). Including this plugin in another plugin seems to be of some concern considering the plugin hasn’t been updated in two and half years. We did a little checking over the plugin and found that it has an authenticated PHP object injection vulnerability that is not only exploitable when using the plugin directly but also with the other plugin it shipped with.

[Read more]