Login

Tag Archives: Closed Plugins

30 Jun 2022

Reflected Cross-Site Scripting (XSS) Vulnerability in Header Footer Code Manager

On June 24, the WordPress plugin Header Footer Code Manager was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 300,000+ installs), our systems warned us about the closure. By the time we went to check on the plugin the next day, the developer had released a new version with a changelog suggesting a security vulnerability had existed in the plugin:

[Read more]

16 Jun 2022

10Web’s Event Calendar WD (EventCalendar) Contains Authenticated Information Vulnerability and Other Security Issues

One of the more troubling aspects of the poor security of WordPress plugins is that so many companies are both handling the security of their plugins rather poorly and trying to profit from the insecurity that they are helping to create. We discussed one example of that a year ago, involving plugin developer 10Web’s poor handling of the security of their plugins, while selling a security service and partnering with another company that is trying to profit off the insecurity, Patchstack. That post dealt in part with 10Web’s failed attempt to a fix a vulnerability in the Event Calendar WD (EventCalendar) plugin and the subsequent failure to get that resolved after we let them know it hadn’t been fixed. While the partnership with Patchstack was supposed to improve the security of the WordPress ecosystem, it didn’t even lead to 10Web’s plugins being properly secured.

On Monday, Event Calendar WD was closed on WordPress Plugin Directory. Unhelpful for those using it, no explanation was provided on why it was closed (as is the case with all plugin closures there). As at least one of our customers is using the plugin, we took a look to see if there might be a serious vulnerability that could have led to the closure, which we should be warning them about. We didn’t find such a vulnerability. But just in the limited checking we did for that, we found various security issues with the plugin. We confirmed there is at least one vulnerability and there are likely others. [Read more]

21 Apr 2022

Authenticated Post Deletion Vulnerability in Toolset Types WordPress Plugin

As part of our recent focus on providing better information to customers of our main service about the security of plugins they use, we extended monitoring we already did on the closure of the most popular WordPress plugins on WordPress’ plugin directory to those being used by our customers. We monitor those closures because they are often caused by security vulnerabilities, sometimes very serious vulnerabilities. That monitoring notified us yesterday that a customer used plugin Toolset Types has been closed. According to the message on the plugin’s page, it was closed in 2019, so this must be a new customer or a website newly using the plugin:

This plugin has been closed as of April 4, 2019 and is not available for download. This closure is permanent. Reason: Author Request. [Read more]

20 Apr 2022

Vulnerability Details: Multiple in JivoChat

On Monday, the WordPress plugin JivoChat was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure. Before we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about, there had been a security update made to the plugin. Though, an incomplete one.

[Read more]

19 Apr 2022

Recently Closed WordPress Plugin with 40,000+ Installs Contains Privilege Escalation Vulnerability

On Monday, the WordPress plugin WP SVG Icons was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.

The plugin registers the function svg_delete_custom_pack_ajax() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]

3 Dec 2021

Closed WordPress Plugin With 40,000+ Installs Contains CSRF/XSS Vulnerability

Yesterday, the WordPress plugin WP Extra File Types was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a cross-site request forgery (CSRF) vulnerability that can be used to change the plugin’s setting and add malicious JavaScript code to those, which is cross-site scripting (XSS).

The plugin registers a settings page for itself, which calls the function admin_page(): [Read more]

18 Nov 2021

WordPress Plugin Closed Today With 40,000+ Installs Contains CSRF/Arbitrary Directory Deletion Vulnerability

Today, the WordPress plugin Child Theme Generator was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin lacks protection against cross-site request forgery (CSRF), which could allow an attacker to cause a logged in Administrator to take action they didn’t intend. Among those is the ability to cause them to delete arbitrary directories on the server the website is on.

When the plugin’s admin page is accessed (which is limited to Administrators) the file /admin/class-child-theme-generator-admin.php is loaded and that in turn causes the function section_remove() in the file to run: [Read more]

27 Oct 2021

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Closed WordPress Plugin Responsive Menu

On Monday, the WordPress plugin Responsive Menu was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 100,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin contains a fairly serious security vulnerability, an authenticated persistent cross-site scripting (XSS) vulnerability, as well as other vulnerabilities because of the poor security of the code.

We tested and confirmed that two of the existing protections in our new firewall plugin for WordPress would individually stop exploitation of the authenticated persistent XSS vulnerability, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. An additional protection being added to the plugin in the next release, based on a vulnerability fixed and exploited in another plugin last week, also would provide protection against this. [Read more]

26 Oct 2021

Reflected Cross-Site Scripting (XSS) Vulnerability in Quiz And Survey Master

Yesterday, the WordPress plugin Quiz And Survey Master was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin.

In June, while looking in the possibility there had been a vulnerability fixed in the plugin, we found a fairly serious vulnerability in the plugin, so the poor quality of the security we found this time wasn’t surprising. While we didn’t quickly find a serious vulnerability, we did easily confirm that there is a reflected cross-site scripting (XSS) vulnerability that currently exists in the plugin. [Read more]

22 Sep 2021

Recently Closed WordPress Plugin With 30,000+ Installs Contains Type of Vulnerability Hackers Target

The WordPress plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory on Monday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities that we should be warning users of the plugin that also use our service, we found just such a vulnerability in the plugin. The plugin has a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which would allow an attacker to cause JavaScript code to be run on the website. The latter vulnerability is a type that hackers are known to target.

We tested and confirmed that our upcoming firewall plugin for WordPress protects against the exploitation of the persistent cross-site scripting (XSS) vulnerability. [Read more]