Login

Tag Archives: Blog Designer

6 May 2019

Apparent Exploits of Vulnerability in Blog Designer Reminder of the Importance of Keeping Your WordPress Plugins Up to Date

Last Tuesday we warned about a vulnerability likely to be exploited in the plugin Blog Designer, unlike another WordPress plugin vulnerability we ran across recently in a similar situation, this one was quickly fixed and the plugin reopened on the Plugin Directory the next day (the vulnerability had been independently discovered by WebARX).

Through the monitoring we do to keep track of discussions on the WordPress Support Forum possibly related to vulnerabilities in WordPress to make sure we are providing our customers with the best possible data on vulnerabilities in WordPress plugins they use, we have run across reports that this is now being exploited. Here is one: [Read more]

3 May 2019

Closures of Very Popular WordPress Plugins, Week of May 3

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week four of those plugins were closed and two have yet to have been reopened. [Read more]

30 Apr 2019

WordPress Paints a Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Blog Designer

Almost a month ago we noted why it is so problematic to close popular WordPress plugins that contain undisclosed but serious security vulnerabilities in discussing a settings change vulnerability that permits persistent cross-site scripting (XSS) in the plugin Related Posts and unfortunately here we are seeing the same exact situation again with the plugin Blog Designer. Maybe we shouldn’t be surprised of that considering that the situation with Related Posts wasn’t properly resolved.

Late last year after seeing evidence that hackers were monitoring for the closure of popular plugins and then looking to see if they have security vulnerabilities, we started doing the same so that we could better keep our customers warned of vulnerabilities ahead of hackers finding and exploiting them. It would be much better if the WordPress team would work with others to improve their handling of insecure plugins to avoid situations like that in the first place, but so far they haven’t shown an interest in that, so here we are again. [Read more]