14 Aug

Authenticated PHP Object Injection Vulnerability in Backup and Staging by WP Time Capsule

With WordPress plugins that should have obvious heightened security risk we have often found that the security is poor, maybe even poorer that the average plugin. The authenticated PHP object injection vulnerability we ran across in the plugin Backup and Staging by WP Time Capsule is a good example of that insecurity.

[Read more]

12 Mar

Brand New WordPress Plugin by “Automattic” Includes Authenticated PHP Object Injection Vulnerability

As we have mentioned repeatedly in the past, while brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory, that either isn’t happening or it isn’t very good, as we keep finding brand new plugins that contain vulnerabilities that the possibility of is flagged by our Plugin Security Checker, an automated tool for checking for the possibilities of some security issues in WordPress plugins. We have offered the team the running the Plugin Directory free access to the more advanced mode of that tool to assist them in avoiding that happening (or help in creating similar functionality in their own workflow), but we have had no interest from them. They unfortunately seem more interested in covering up the problems they are having (and in some cases causing) instead of working with others like us to get them fixed.

[Read more]

28 Nov

It Would Be a Good Idea for WordPress Plugin Developers to Check Their Plugins with Our Plugin Security Checker

Yesterday we noted that the developer of the WordPress security plugin Security Ninja plugin isn’t doing a great job with the security of their plugins. In the latest example, they could have spotted an issue before we are publicly disclosing it by simply checking the plugin with our Plugin Security Checker, which identifies possible security issues in WordPress plugins. While looking into the details of another instance of them fixing a vulnerability we had identified in one of their plugins while working on an improvement to the Plugin Security Checker, this time with the plugin Nifty Coming Soon & Maintenance page we ran the plugin through our tool and saw that it got flagged for possibly including a vulnerable version of the plugin Option Tree:

[Read more]

14 Nov

Full Disclosure of CSRF/PHP Object Injection Vulnerability in WordPress Theme with 70,000+ Installs

With our service we cover WordPress plugins (as you might guess from our name), but not WordPress themes. There are a number of reasons for that, including the dearth of vulnerabilities being disclosed in themes, which seems to be related to the limited amount of potentially vulnerable code in them despite it being possible for them to contain all the same types of issues as plugins. We got a reminder of that when we did a check over some of the most popular themes available in the WordPress Theme Directory against the checks we do of changes being made to plugins as part of our proactive monitoring to try to catch serious vulnerabilities before they are exploited and a few other checks. The proactive monitoring checks didn’t pull up anything, but one of the other checks brought up the fact that the theme Hueman , which has 70,000+ active installs according to wordpress.org, contains the plugin OptionTree.

[Read more]

13 Nov

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Portfolio X

This post provides the details of a vulnerability in the WordPress plugin Portfolio X not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

13 Nov

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Security Plugin with 70,000+ Installs

Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did some checks over the 1,000 most popular WordPress plugins to get a better idea of usage of code of similar code there might be out there. That led to us finding an authenticated PHP object injection vulnerability in the security plugin WP Security Audit Log, which has 70,000+ active installations according to wordpress.org.

[Read more]

12 Nov

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Infographic Maker iList

This post provides the details of a vulnerability in the WordPress plugin Infographic Maker iList not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

12 Nov

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Slider Hero

This post provides the details of a vulnerability in the WordPress plugin Slider Hero not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

09 Nov

Authenticated PHP Object Injection Vulnerability in Simple Link Directory

On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.

[Read more]

09 Nov

Authenticated PHP Object Injection Vulnerability in Simple Business Directory with Maps

On Tuesday we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree. Since then the plugin has been closed on the Plugin Directory. Why that plugin was closed, but plugins with more serious vulnerabilities we have full disclosed have not, is a bit strange, but the WordPress folks don’t make a lot of sense in general. When we disclosed that vulnerability we mentioned that we had noticed it during monitoring we do to try to catch security fixes being made in plugins, due it to its inclusion in another plugin. Then yesterday another plugin from the same developer from that other plugin popped up in that monitoring again related to OptionTree. So this seems like a good time disclose that both of those plugins are also vulnerable. There might be other plugins also using OptionTree as well, though at least we didn’t find that any of the top 1,000 are using it.

[Read more]