Login

Tag Archives: Awesome Motive

4 Apr 2023

Awesome Motive Isn’t Disclosing They Are Trying (and Sometimes Failing) to Fix Vulnerabilities in Their Plugins

Yesterday, Automattic’s WPScan claimed that the latest version of the 1+ million install WordPress plugin WPCode had fixed a vulnerability:

The plugin has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders [Read more]

30 Jan 2023

WordPress Security Community’s Poor Results on Display With Failed Fix of Vulnerability in 3+ Million Install Plugin MonsterInsights

A couple of weeks ago WordPress security provider WPScan, which is controlled by the head of WordPress Matt Mullenweg, claimed that an authenticated persistent cross-site scripting (XSS) vulnerability involving its Inline Popular Posts block had been fixed in the latest version, 8.12.1, of the 3+ million install plugin MonsterInsights:

[Read more]

9 Dec 2022

Awesome Motive’s Not So Awesome Five for the Future Sponsorship of Plugin Security Reviewer for WordPress

The website of the WordPress focused company Awesome Motive paints them in an incredibly positive light. For example, one of their five core values is “We Do The Right Thing every time.”, which they explain this way:

When it’s right for the people, the company, and you’re proud of the decision, then it’s the right thing. Sometimes doing the right thing is hard, but doing it over is harder. This is why we must always do the right thing, every time. [Read more]

29 Nov 2022

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]