Login

Tag Archives: Closed Plugins

30 Apr 2019

WordPress Paints a Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Blog Designer

Almost a month ago we noted why it is so problematic to close popular WordPress plugins that contain undisclosed but serious security vulnerabilities in discussing a settings change vulnerability that permits persistent cross-site scripting (XSS) in the plugin Related Posts and unfortunately here we are seeing the same exact situation again with the plugin Blog Designer. Maybe we shouldn’t be surprised of that considering that the situation with Related Posts wasn’t properly resolved.

Late last year after seeing evidence that hackers were monitoring for the closure of popular plugins and then looking to see if they have security vulnerabilities, we started doing the same so that we could better keep our customers warned of vulnerabilities ahead of hackers finding and exploiting them. It would be much better if the WordPress team would work with others to improve their handling of insecure plugins to avoid situations like that in the first place, but so far they haven’t shown an interest in that, so here we are again. [Read more]

19 Apr 2019

Closures of Very Popular WordPress Plugins, Week of April 19

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and one has yet to have been reopened. [Read more]

12 Apr 2019

Closures of Very Popular WordPress Plugins, Week of April 12

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week one of those plugins were closed and has yet to have been reopened. [Read more]

9 Apr 2019

Recently Closed Visual CSS Style Editor WordPress Plugin Contains Privilege Escalation Vulnerability That Leads to Option Update Vulnerability

When it comes to the security of WordPress plugins what other security companies generally do is to add protection against vulnerabilities after they have already been widely exploited, which obviously won’t produce great results since there is a good chance the websites using their service have already been hacked by the time they do that. One of the ways we keep ahead of that is to monitor the closure of the 1,000 most popular WordPress plugins in the Plugin Directory, since that closure can be due to a security issue and even if it is not, we have found the plugins being closed often contain security vulnerabilities, and as was the case with one less than two weeks ago, ones likely to be exploited. Hackers seem to be doing that type of monitoring as well. Through that we found that the plugin Visual CSS Style Editor, which has 30,000+ active installs and was closed yesterday, has two vulnerabilities that when combined lead to a type of vulnerability hackers would be likely to exploit.

When we started to do a quick check of the security of the plugin after we were notified by our monitoring that it was closed, we found that were multiple basic security failures. For example, our Plugin Security Checker, which is an automated tool anyone can use to check plugins for possible security issues, correctly identified the possibility of a reflected cross-site scripting (XSS) vulnerability. But that isn’t a serious issue, so we went to look if there was something more serious that we should be warning our customers about instead. We found something that fit the bill, but there could be other issues as well. [Read more]

1 Apr 2019

Cross-Site Request Forgery (CSRF) Vulnerability in 404page

The plugin 404page was closed on the WordPress Plugin Directory on Saturday. As that is one of 1,000 most popular plugins our systems alerted us to its removal and then we checked things over to see if there was a security issue that might have led to it being removed. While no reason had been given for its removal, in a quick check we found a minor, but rather nasty vulnerability that could an attacker to cause WordPress users to disable their access to the website without intending it. We then used WPDirectory to see if other plugins might have similar code and found that a number of other plugins by the same developer do. Subsequently to us doing that, the vulnerability was fixed in 404page and then subsequently that was credited to Julio Potier, so it appears that was the cause of the closure, but the other plugins have not been fixed yet.

The plugin makes the function dismiss_admin_notice() accessible to anyone logged in to WordPress through WordPress’ AJAX functionality: [Read more]

30 Mar 2019

WordPress Plugin Team Paints Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Related Posts

When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:

Don’t post on things they don’t understand. This really ties into the last item since you often have moderators providing people incorrect information and then they appear to not be able to handle that someone provides information that disputes that, leading to accurate information being deleted. [Read more]

22 Mar 2019

Closures of Very Popular WordPress Plugins, Week of March 22

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and one of those has been reopened, despite the reason for its removal not being fully resolved. [Read more]