Recently it was claimed that the WordPress plugin RD Station had led to a website’s database being replaced:
when are you going to fix the problem, a couple of weeks ago a site was attacked by this vulnerability, the entire database was replaced, we contacted you and this was the response [Read more]
Last week the WordPress plugin WP Page Widget was closed on the WordPress Plugin Directory. As that plugin is one of the 1,000 most popular plugins, we were alerted to its closure. No reason has been given for the closure. But there is a security issue in the latest version.
About a month ago a competitor of ours, Patchstack, claimed a cross-site request forgery (CSRF) vulnerability had been fixed in the latest version of the plugin. They didn’t provide basic information needed to confirm the claim, as the “details” given are: [Read more]
A recent review of the WordPress plugin Pop-up suggested the plugin is insecure:
I tested this plugin, its says its free, i tried to inject code to my site… then i understood if they want they can inject any malicious code to your website by using this plugin… you are clicking launch code on external website, and this plugin will upload a a code to your website based on email address registered on both site. so if you are using sensitive website dont even try this plugin [Read more]
Yesterday we ran across a vague claim that the WordPress security plugin WordPress HTTPS, which has 50,000+ installs, might have a security vulnerability that is involved in hacks of website. The source isn’t a reliable one (despite being the developer of a popular security plugin) and they didn’t provide any information to back that up. In checking over the plugin, we quickly found a reasonably serious vulnerability, though one that seems unlikely to be connected with the hacking claim being made.
We tested and confirmed that our firewall plugin for WordPress protected against the vulnerability even before we discovered it, as part of its protection against zero-day vulnerabilities. [Read more]
As part of our monitoring the WordPress Support Forum for indications of vulnerabilities in plugins that we should be warning our customers about, we came across this review of the plugin Melhor Envio:
O plugin da melhor envio está com o trojan denominado JS:Trojan.Cryxos faz quase um mês, e mesmo eu entrando em contato com o suporte e tendo provado isso por diversas vezes, o plugin continua disponível para download com o Trojan. Meu site foi retirado do ar cinco vezes pela wordpress.com e chegou a ter 645 arquivos contaminados por esse malware. [Read more]
Late last week, third-party data we monitor showed what looked to be a hacker probing for usage of a WordPress plugin that handles payment processing for the WooCommerce plugin, ЮKassa для WooCommerce, through requests for this file:
/wp-content/plugins/yookassa/assets/js/yookassa-admin.js [Read more]
On Saturday we had what looked to be a hacker probing for usage of the WordPress plugin WPCargo, which has 10,000+ installs, on our website. While there is a vulnerability that was recently fixed that could explain a hacker targeting the plugin, we did a quick check over the plugin. We found the plugin is lacking basic security and contains multiple security vulnerabilities. The simplest to confirm and explain is an authenticated settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found addressed.
The plugin register the function update_import_option_ajax_request() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress: [Read more]
On February 15, a topic was started on the wordpress.org support forum for the WordPres plugin Photonic with the title “Critical 0-day vulnerability in the Photonic Plugin v 2.75“. That was subsequently deleted by a moderator, but nothing was done with the plugin on WordPress’ plugin directory. It is still available for download and has not been updated. While we can’t say if the claim made in the title is true since the details of the claim are not available, we easily found that the plugin is lacking basic security and contains at least an authenticated settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found are addressed.
The plugin registers the function save_token_in_options() to be accessible by anyone logged in to WordPress: [Read more]
On Monday, the WordPress plugin Responsive Menu was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 100,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin contains a fairly serious security vulnerability, an authenticated persistent cross-site scripting (XSS) vulnerability, as well as other vulnerabilities because of the poor security of the code.
We tested and confirmed that two of the existing protections in our new firewall plugin for WordPress would individually stop exploitation of the authenticated persistent XSS vulnerability, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. An additional protection being added to the plugin in the next release, based on a vulnerability fixed and exploited in another plugin last week, also would provide protection against this. [Read more]
Earlier this week had what looked to be a hacker probing for usage of the WordPress plugin Simple eCommerce on our website with this request:
/wp-content/plugins/simple-e-commerce-shopping-cart/readme.txt [Read more]