07 Dec

Not Really a WordPress Plugin Vulnerability, Week of December 7

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items [Read more]

29 Jun

What Happened With WordPress Plugin Vulnerabilities in May 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service. Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during May (and what you have been missing out on if you haven’t signed up yet): Plugin [Read more]

03 May

We Wouldn’t Call WP Engine A Good Web Host for Providing Inaccurate Data on WordPress Plugin Vulnerabilities to Their Customers

When it comes to getting information on the security issues in WordPress plugins, developers of plugins are not always the best source. That is the case with a persistent cross-site scripting (XSS) vulnerability discovered by Federico Scalco that was in the plugin Caldera Forms. While that was claimed by the discoverer of the vulnerability, the developer [Read more]

07 Oct

Vulnerability Details: Flash Cross-Site Scripting (XSS) Vulnerability in Caldera Forms

This Vulnerability Details post about a vulnerability in the plugin Caldera Forms provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered, which are freely available and give you an idea of what information is provided in [Read more]

31 Jul

Planet Zuda’s False Claim of a Cross-Site Request Forgery (CSRF) Vulnerability in Caldera Forms

If you have read either of our previous posts about the security company Planet Zuda you won’t be surprised to hear that they are selling a “fixed” version of another WordPress plugin where the vulnerability they claim to have fixed doesn’t exist. This time it is with the plugin Caldera Forms, which has 90,000+ active [Read more]

25 May

Protecting You Against Wordfence’s Bad Practices: Sensitive Data Exposure Vulnerability in Caldera Forms

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause. Wordfence describes [Read more]