13 Sep

When an Old Vulnerability Gets a New Vulnerability Report

As part of preparing an upcoming enhancement to the service, we have recently been taking a look at what traffic to our website indicates as to what hackers are targeting. Through that we noticed a connection between the existence of YouTube videos on exploiting vulnerabilities and what vulnerabilities are getting exploitation attempts. In the past few days we have seen a pickup in requests for pages on our website relating to the plugin Cherry Plugin. In looking for any recent mentions of vulnerabilities in this plugin we found a Youtube video showing how to exploit an arbitrary file upload vulnerability in it and an report on that vulnerability.

[Read more]

30 Jun

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Cherry Plugin

As we continue looking at ways we can improve the security of WordPress plugins, one of the thing we are trying is checking over plugins that we have recently added new vulnerabilities to our data set to see if we can find any other obvious vulnerabilities. The third we have spotted is in the plugin Cherry Plugin.

[Read more]

22 Jun

Old Vulnerability Report: Arbitrary File Viewing Vulnerability in Cherry Plugin

One of the things that we do to keep track of the  plugin vulnerabilities out there is to monitor hacking attempts on our websites. That sometimes leads us to finding what looks to be exploitation of vulnerabilities that a hacker has just discovered. In other cases it shows really old vulnerabilities that hackers are still trying to exploit. We have recently had some attempts to exploit a couple of vulnerabilities in older versions of the plugin Cherry Plugin. One was an arbitrary file upload vulnerability mentioned here and the other was an arbitrary file viewing vulnerability that we couldn’t find any prior mention of.

[Read more]