Closed Plugins

26 Jul 2019

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Facebook Widget (Widget for Facebook Page Feeds)

The plugin Facebook Widget (Widget for Facebook Page Feeds) was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins, so we were alerted to its closure. While we were looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) vulnerability due to not properly handling the security of shortcode attributes.

The plugins shortcode “fb_widget” causes the function fb_plugin_shortcode() to run. That function is located in the file /short_code.php: [Read more]

25 Jul 2019

Vulnerability Details: Option Update in ND Shortcodes (ND Shortcodes For Visual Composer)

The plugin ND Shortcodes (ND Shortcodes For Visual Composer) was closed on the Plugin Directory yesterday. Today a new version was submitted with the changelog “Improved nd_options_import_settings_php_function function for security reasons”. Looking at the code we found the plugin previously contained a vulnerability that allowed updating arbitrary WordPress options to arbitrary values, though it looks like it would only be exploitable in limited circumstances.

…

[Read more]

22 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Arbitrary File Upload in WP SVG Icons

The plugin WP SVG Icons was closed on the WordPress Plugin Directory on Saturday. Due to it being one of the 1,000 most popular, with 50,000+ installs, we were alerted to the closure. By the time we went to check to see if there were any security issues in the plugin a new version had already been submitted to fix a cross-site request forgery (CSRF) vulnerability that allows uploading arbitrary files. There are still a couple of very minor CSRF vulnerabilities that appear to still be unfixed and some other possible security issues.

…

[Read more]

19 Jul 2019

Closures of Very Popular WordPress Plugins, Week of July 19

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week three of those plugins were closed and one of those has not been reopened. [Read more]

16 Jul 2019

Closed Popular WordPress Plugin Advanced CF7 DB (Advanced Contact form 7 DB) Reintroduced Serious Vulnerability

One of the ways we make sure that customers of our service have the best information on vulnerabilities in WordPress plugins they use is by checking to see if popular ones have been closed on the Plugin Directory contain security vulnerabilities, as we have seen that it looks like hackers were already doing that. Yesterday the plugin Advanced CF7 DB (Advanced Contact form 7 DB), which has 50,000+ active installations, was closed. No reason has been given for that, but there are multiple security issues in that. Some of the security issues are ones that involve security failures that are related to a vulnerability we contacted the developer about in August of last year and never got any reply. A security vulnerability that currently exists in the plugin is something that we found in August of 2017 and the developer fixed at the time, only to undo that fix later.

If that all doesn’t make the security of WordPress plugins sound bad enough, consider that in May a major web security company Sucuri somehow missed all of that and instead claimed that there was a vulnerability in the plugin that didn’t exist. [Read more]

12 Jul 2019

Closures of Very Popular WordPress Plugins, Week of July 12

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week four of those plugins was closed and three have not been reopened. [Read more]

11 Jul 2019

Cross-Site Request Forgery (CSRF) Vulnerability in ARPrice Lite

The latest update of the WordPress plugin ARPrice Lite was flagged by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. When went to look into that we found that the plugin was closed on the Plugin Directory on June 28 with no explanation given. The changelog for the version submitted since the closure is “WordPress standard changes and other bug fixes.”. A lot of the changes made are security related, but there still look to be quite a few issues.

There are numerous locations missing protection against cross-site request forgery (CSRF), which allows an attacker to cause someone else to take an action they didn’t intend to. As an example of that let’s look at the code that starts the import process for the plugin, part of which is what was flagged by our proactive monitoring. [Read more]

8 Jul 2019

Recently Closed WordPress Plugin With 400,000+ Installs Contains Another Authenticated Persistent XSS Vulnerability

Back in April we ran across an authenticated persistent cross-site scripting (XSS) vulnerability in WP Google Maps after our monitoring of the WordPress Support Forum to keep track of publicly known vulnerabilities that have been in plugins customers of our service might be using, led to us coming across a claim that WPEngine was claiming there was an XSS vulnerability in it. That vulnerability remained in the plugin for two months after that and the team running the Plugin Directory apparently wasn’t concerned that a plugin with 400,000+ installs was known to be vulnerable. When it was fixed it turns out it wasn’t part of a larger security improvement.

On Friday the plugin was closed on the Plugin Directory with no explanation why that was (later on the developer says it was closed due to emails bouncing, which would be a good reason to indicate why the plugin was closed, since even they didn’t know). As we do with all very popular plugins that are closed, we then took a look over the security of it, since it appears that hackers have been doing that, so we want to keep our customers ahead of hackers instead of leaving them to be hacked as so many security services do. One of the first thing we did was to go back the code we found was vulnerable before and see if there were any other similar issues still in the plugin. What we found is that by just scrolling down to next function after the one that we identified was vulnerable before, we found the same type of vulnerability still exists. [Read more]

5 Jul 2019

Closures of Very Popular WordPress Plugins, Week of July 5

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed and has been reopened. [Read more]

28 Jun 2019

Closures of Very Popular WordPress Plugins, Week of June 28

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins was closed and it has been reopened. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Closed Plugins