Login

Tag Archives: Authenticated Settings Change

3 Aug 2021

Wordfence Advisory Fails to Warn That WordPress Plugin with 100,000+ Installs Is Currently Very Insecure

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we can quickly warn our customers of any unfixed vulnerabilities that hackers are likely targeting. On Sunday we had what looked to be a hacker probing for usage of the WordPress plugin WordPress Download Manager, which has 100,000+ active installation according to wordpress.org, on our website with this request:

/wp-content/plugins/download-manager/readme.txt [Read more]

4 Nov 2019

Vulnerability Details: Authenticated Settings Change Vulnerability in MegaOptim Image Optimizer

One of the changelog entries for the latest version of the plugin MegaOptim Image Optimizer is “Security Improvements”. Looking at the changes made in that version it appears that refers to checking if the user making requests to the plugin’s AJAX accessible functions in the file /includes/classes/MGO_Ajax.php are logged in to WordPress. That serves no purpose since those are registered to only be accessible by those logged in WordPress. While looking into that we found that at least with the function to handle saving the plugin’s settings there should be a check to limit what level of logged user can access it, but it is missing. We have notified the developer of that.

[Read more]

23 Jul 2019

Our Proactive Monitoring Caught an Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Yes-co ORES

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated settings change vulnerability that leads to an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin Yes-co ORES.

The plugin allows changing its settings through an AJAX accessible function ajaxSetSetting(). That is registered to be accessible to anyone logged in to WordPress: [Read more]

15 Jul 2019

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Project Supremacy Lite (Project Supremacy V3 Lite)

As part of making sure we are providing the users of our service with the best information on vulnerabilities in WordPress plugins they may be using we monitor for indications that security vulnerabilities have been fixed in new versions of the plugins. Today that led to us looking at Project Supremacy Lite (Project Supremacy V3 Lite) where the changelog for the latest version is “Added some security fixes.” The changes made in that version look to be escaping the output of the plugin’s settings. Normally the lack of that wouldn’t be a vulnerability because only Administrators are allowed to change the settings and they can do anything they want with WordPress already. When we went to check to see if that was the case with this plugin we found that anyone logged in to WordPress can change the plugin’s settings and one of those settings is intended to be used to place JavaScript code on all of the frontened pages of the website, which would lead to an authenticated persistent cross-site scripting (XSS) vulnerability.

The plugin registers the function that handles saving the plugin’s setting, saveGeneral() to anyone logged in to WordPress: [Read more]

17 Jun 2019

Vulnerability Details: Authenticated Settings Change in WebP Express

Back in December we discovered an arbitrary file viewing vulnerability in the plugin WebP Express. That was finally fixed in the past few days after we once again pointed out to the people making a mess of the Plugin Directory and WordPress Support Forum that they had left a plugin they knew was vulnerable and that was being targeted by hackers in the Plugin Directory. In looking at some of the additional changes made in the new version of the plugin we noticed that while it looks like directory team required some other security changes they missed making sure basic security checks were included. Considering the previous vulnerability, it wasn’t surprising that we noticed another pretty big vulnerability had been in the plugin, which was fixed enough to stop exploitation, but not enough to properly secure it.

[Read more]

17 Jun 2019

Facebook’s WordPress Plugin Messenger Customer Chat Contains an Authenticated Settings Change Vulnerability

In our previous post we detailed our running across a vulnerable WordPress plugin made by Facebook with 200,000+ installs, after noticing that we did a quick check to see if any other there other plugins had similar issues. We found that their plugin Messenger Customer Chat, which has 20,000+ installs, contains a similar vulnerability, though in this case the code is even less secure.

The plugin registers the function fbmcc_update_options() to be accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]

13 Jun 2019

Simply Closing a WordPress Plugin With a Vulnerability Likely to Be Exploited Just Leaves Websites Open to Being Hacked

As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. A week ago that led to us running across two plugins with unfixed vulnerabilities. One of those plugins was closed on the WordPress Plugin Directory on May 9. In the past day we had saw a hacker probing for another plugin that was closed on the same day, Real Estate Manager – Property Listing and Agent Management.

What we found when went to look to see if there were any vulnerabilities in this plugin was nearly identical to what we found with the previous one, making it seem likely that they were both closed due to security issues discovered by the same party. Closing them and doing nothing else isn’t a solution, as what has happened with these plugin is yet another reminder of. This is a solvable problem, but the people currently running the WordPress Plugin Directory seem to be incapable of handling or even acknowledging the problem. One of the six people on the team running it, for example has claimed there is never a need to remove closed plugins: [Read more]

7 Jun 2019

Vulnerability Details: Authenticated Settings Change and Persistent XSS in WordPress to Sugar / SuiteCRM Lead

The plugin WordPress to Sugar / SuiteCRM Lead was closed on the Plugin Directory on February 14, 2019, with the given reason for that being “Guideline Violation”. The latest changes made to it where logged as “Sanitization and nounce update” and they fix a number of security issues in it. At least one of which was actually introduced since the plugin was closed, and then fixed. Two related vulnerabilities seem of the most concern. One of which could have allowed an attacker to cause lead submissions to be directed to them and the other would allow persistent cross-site scripting (XSS) to occur.

[Read more]

4 Jun 2019

Vulnerability Details: Authenticated Persistent XSS in Personalized WooCommerce Store (Personalized WooCommerce Cart Page)

That the plugin WooCommerce Store (Personalized WooCommerce Cart Page) would contain a serious security vulnerability isn’t really surprising since the developer has had numerous security issues in their plugins and doesn’t appear to have been interested in making sure they are doing things securely.

[Read more]

1 Apr 2019

Authenticated Settings Change Vulnerability That Leads to Persistent XSS in WP Google Maps

One of the things we do to keep track of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in the plugins they use is to monitor the WordPress Support Forum for topics that might relate to those. Through that we came across an authenticated settings change vulnerability that can permit persistent cross-site scripting (XSS) in the plugin WP Google Maps, which considering the plugin has 400,000+ install, is something that would be of interest to hackers.

A topic was started four days ago with the claim: [Read more]