01 Oct

Full Disclosure of CSRF/LFI Vulnerability In Plugin With 30,000+ Active Installs

The description of the plugin Companion Auto Update, which has 30,000+ active installations according to wordpress.org, starts with the message: KEEP YOUR WEBSITE SAFE! But the plugin itself introduces a cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability, as we found while doing some checking of the 1,000 most popular plugins in the Plugin Directory against [Read more]

02 Mar

What Happened With WordPress Plugin Vulnerabilities in February 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service. Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during February (and what you have been missing out on if you haven’t signed up yet): Plugin [Read more]

01 Jun

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Companion Auto Update

We recently found that the plugin Companion Auto Update contained a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability with the plugin’s settings. The CSRF portion is caused by a lack of a nonce being included with a request to change the plugin’s settings and a lack of check that valid one is included when doing the [Read more]