Authenticated Settings Change Vulnerability in Posts Like Dislike
The changelog for the latest version of the WordPress plugin Posts Like Dislike is “Fixed security issue”.
…
22
Aug
2023
Tag Archives: Authenticated Settings Reset
9
Feb
2023
Authenticated Settings Reset Vulnerability in Schema – All In One Schema Rich Snippets
The changelog for the latest version of the WordPress plugin Schema – All In One Schema Rich Snippet is:
…
10
Nov
2022
Authenticated Settings Reset Vulnerability in WooCommerce Fraud Prevention Plugin
As detailed in a separate post, we took a look at the WordPress plugin WooCommerce Fraud Prevention Plugin after seeing it mentioned in a news story. We found it is insecure and that the security leads to at least one vulnerability, as anyone logged in to WordPress can reset the plugins settings.
The plugin registers the function wcblu_reset_settings() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress: [Read more]
20
Jun
2019
Authenticated Settings Reset Vulnerability in Rank Math SEO
With the latest version of the plugin Rank Math SEO, one of the changelog entries is:
Added some important security fixes [Read more]
11
Jul
2016
Protecting You Against Wordfence’s Bad Practices: Missing Authorization Vulnerability in WP Maintenance Mode
Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.
Wordfence describes the missing authorization vulnerability in WP Maintenance Mode version 2.0.6 as “This vulnerability allows an attacker with a subscriber level account to modify plugin settings.”. [Read more]