As mentioned in another post about another vulnerability, Wordfence has been selling access to anyone willing to pay for their Wordfence Premium service, say hackers, info on exploiting two undisclosed unfixed vulnerabilities in the plugin Directorist for a month. The second vulnerability is disclosed with this rule:
…
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We also run all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. Through that, we caught an authenticated post deletion vulnerability in the 200,000+ install plugin CartFlows. Our customers were already protected from the vulnerability, as our Plugin Vulnerabilities Firewall plugin provides protection against this type of vulnerability without us having to write a rule for a specific vulnerability.
By default, the plugin restricts access to the admin portion of the plugin’s interface to Administrators, but it has a user role manager that allows providing lower-level users access. If users are given “Limited Access” they “Can create/edit/delete/import flows and steps only.” With the ability to delete the plugin’s flows, they can delete any post on the website. [Read more]
As part of our recent focus on providing better information to customers of our main service about the security of plugins they use, we extended monitoring we already did on the closure of the most popular WordPress plugins on WordPress’ plugin directory to those being used by our customers. We monitor those closures because they are often caused by security vulnerabilities, sometimes very serious vulnerabilities. That monitoring notified us yesterday that a customer used plugin Toolset Types has been closed. According to the message on the plugin’s page, it was closed in 2019, so this must be a new customer or a website newly using the plugin:
This plugin has been closed as of April 4, 2019 and is not available for download. This closure is permanent. Reason: Author Request. [Read more]
One of the changelog entries for the latest version of the WordPress plugin WCFM Membership is:
Enhance – Many security check improved [Read more]