09 Jun

WordPress Plugin Directory’s Security Review Leads to Putting Public At More Risk

Yesterday we announced we have temporarily ended our notifications to the WordPress Plugin Directory when there are plugins with disclosed vulnerabilities in the current version of the plugin that is in the directory, until they put forward concrete plans to resolve two issues. One of those is finally warning people when they are using plugins that have been removed from the Plugin Directory for security issues. While years ago they claimed they were working on doing this, more recently they have claimed that doing so would put people at more risk. It is truly bizarre position to take just considering that many of these vulnerabilities have been publicly disclosed, so hackers would already have easy access to as much or more information than anyone has proposed including when warning webmasters of the issue. Then you have the fact that plenty of these vulnerabilities are not only known to hackers, but being actively exploited before the plugins were removed from the Plugin Directory (we know this because we have reported many of those to the Plugin Directory).

[Read more]

08 Jun

Authenticated Information Disclosure Vulnerability in Contact Form 7 Database

After noticing that another plugin that saves contact form submissions from the plugin Contact Form 7 made them publicly accessible we took a look other plugins that also save them to see if any of them had a similar issue. In doing that we found that the plugin Contact Form 7 Database made saved contact form submissions available to anyone logged in to WordPress.

[Read more]

03 Apr

Reflected Cross-Site Scripting (XSS) Vulnerability in Contact Form 7 Database

One of the ways we keep track of vulnerabilities in WordPress plugins is by monitoring the wordpress.org Support Forum as that is sometimes where vulnerabilities are disclosed. As far as we can tell we are alone in doing this, so if you are relying on another data source for your plugin vulnerability data you are most likely not going to be warned about those. One recent vulnerability we came across through that is a persistent cross-site scripting (XSS) vulnerability in the plugin Contact Form 7 Database. While looking into that we noticed that the plugin also has a reflected cross-site scripting (XSS) vulnerability.

[Read more]