Login

Tag Archives: Authenticated Settings Change

8 Feb 2019

Vulnerability Details: Authenticated Settings Change in Launcher

The changelog for the latest version of Launcher has a couple of entries that could be related to a security vulnerability, “Fixed XSS vulnerability” and “Added capability check for the save function Props to @Metamorfosec”. While the former would seem to be a more likely candidate to be related to an actual vulnerability, as far as we can tell it looked like it involves escaping values that can only be set by an Administrator, so not really a vulnerability. The latter it turned out relates to an actual vulnerability and one that wasn’t fully fixed.

[Read more]

25 May 2016

Protecting You Against Wordfence’s Bad Practices: Unauthorized Options Update Vulnerability in WP Fastest Cache

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence describes the vulnerability in WP Fastest Cache version 0.8.5.7 as “The Options Update vulnerability allows an attacker to access and make changes to the CDN (Content Delivery Network) options for the website. With this control an attacker can direct all requests for css files, images, videos, etc. to their site, allowing them to serve malicious content to visitors of the vulnerable site.” [Read more]