Login

Tag Archives: Closed Plugins

1 Feb 2019

Closures of Very Popular WordPress Plugins, Week of February 1

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week six of these plugins were closed and two of them has been reopened. [Read more]

25 Jan 2019

Closures of Very Popular WordPress Plugins, Week of January 25

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of these plugins was closed and has been reopened. [Read more]

18 Jan 2019

Closures of Very Popular WordPress Plugins, Week of January 18

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of these plugins was closed and none of them have been reopened. [Read more]

11 Jan 2019

Closures of Very Popular WordPress Plugins, Week of January 11

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week four of these plugins was closed and two have been reopened. [Read more]

2 Jan 2019

Closures of Very Popular WordPress Plugins, Week of December 28

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed and has been reopened. [Read more]

21 Dec 2018

Closures of Very Popular WordPress Plugins, Week of December 21

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and two of those have yet to be reopened. [Read more]

17 Dec 2018

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Comprehensive Google Map Plugin

Yesterday one of the 1,000 most popular WordPress plugins in the Plugin Directory, Comprehensive Google Map Plugin, was closed. No reason has been given for that.

The plugin does display this message “Attention: the development and maintenance of the “Comprehensive Google Map Plugin” has been discontinued!”, so that might explain the closure. In taking a look over the plugin though we found a fairly obvious security issue and it looks like there are other vulnerabilities in the latest version. [Read more]

14 Dec 2018

Closures of Very Popular WordPress Plugins, Week of December 14

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and have yet to be reopened. [Read more]

7 Dec 2018

Closures of Very Popular WordPress Plugins, Week of December 7

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed and has yet to be reopened. [Read more]

6 Dec 2018

Closure of Modula Image Gallery Leads to Disclosure of Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in It

Last week we started monitoring for closures of the 1,000 most popular WordPress plugins and that alerted to us the plugin Modula Image Gallery, which has 40,000+ active installations and was closed yesterday. There have been two new versions released since it was closed. The first 1.3.4 has a changelog entry of “wp.org review” and there are quite a few security related changes made in that version.

In a quick check over the code none of them stood as being obviously related to a vulnerability as opposed to general security improvement and no possible security issues were picked up with our Plugin Security Checker, so we moved on to installing a copy of version 1.3.3 and seeing if there were any easy to spot vulnerabilities we could see by checking things that way. We almost immediately found that the plugin has had an authenticated persistent cross-site scripting (XSS) vulnerability, but a closer look showed that part of this isn’t fixed as of version 1.3.5. [Read more]