Login

Tag Archives: Cross-Site Request Forgery (CSRF)

20 Jul 2023

Wordfence Falsely Claims It Has to Rely on Inaccurate Plugin Vulnerability Data from Patchstack

On an unfortunately too regular basis, we are finding that vulnerabilities that were supposed to be fixed in plugins being used by our customers haven’t been fully fixed and in some cases haven’t been fixed at all. That is the case with a vulnerability that was recently supposed to have been fixed in the 200,000+ install plugin Ultimate Member. In looking into that, we ran across several other problems involving competing data providers that are not being honest about their data and its sourcing.

In our recent monitoring of possible discussions about plugin vulnerabilities in the WordPress Support Forum, we have seen a Wordfence employee claiming that Wordfence doesn’t have control over their own plugin vulnerability data. Here was one instance of that: [Read more]

6 Jul 2023

Cross-Site Request Forgery (CSRF) Vulnerability in wpCentral

As part of keeping track of vulnerabilities in WordPress plugins, we monitor if any of the 1,000 most popular plugins on the WordPress Plugin Directory are closed, in case that might be due to a security vulnerability. On Monday, one of those plugins, wpCentral, was closed. No reason has been given for that closure so far, but in a quick check over the plugin, we found a security vulnerability that could have led to it being removed. That vulnerability involves cross-site request forgery (CSRF) with the functionality accessible through the plugin’s settings page.

The plugin’s settings page is registered to only be accessible to users with the activate_plugins capability: [Read more]

17 May 2023

Latest Version of UpdraftPlus Fixes Cross-Site Request Forgery (CSRF) Vulnerability

The top listing in the changelog for the latest version of the 3+ million install WordPress plugin UpdraftPlus is about a security fix in the new version:

SECURITY: Fixed a missing nonce combined with a URL sanitisation failure, which could lead to a targetted XSS opportunity (if an attacker persuades a logged-in administrator to both re-authorise their connection to a remote storage (e.g. Dropbox) and then to follow a link personally crafted for their site before re-authorising whilst logged in, he can then store a fixed JavaScript payload in the WP admin area (they would need a further route to use that ability to cause any damage). Because of the need for the administrator to co-operate in multiple steps, this attack is very unlikely (but you should of course still update). [Read more]

15 May 2023

Wordfence Intelligence Vulnerability Database is Still Falsely Claiming Vulnerabilities Have Been Fixed

In reviewing changes being made to WordPress plugins used by our customers that are supposed to fix vulnerabilities, we often find that the vulnerabilities haven’t actually been fixed. Telling our customers that vulnerabilities have been fixed when we don’t actually know if they have been fixed would be unethical, but that is what we keep finding another provider, Wordfence, is doing with their Wordfence Intelligence Vulnerability Database. On their homepage, Wordfence call themselves the “Global Leaders in WordPress Security” and say you should trust them because of that. It’s unclear what would make someone the global leaders in WordPress security, but we can say they can’t be trusted whether they are the global leaders or not, as what we found below shows.

The changelog for the latest version of the WordPress plugin Simple Calendar claimed that a vulnerability was fixed in the plugin: [Read more]

5 Apr 2023

WP Engine’s New WordPress Plugin Contains CSRF Vulnerability

From what we have seen, WP Engine has a reputation for having a good handle on security, despite having a bad track record going back many years. In line with that track record, we found that the WordPress plugin they released on the WordPress Plugin Directory last week, Pattern Manager, lacks a basic security check leading to a minor vulnerability.

In the file /wp-modules/editor/model.php, the plugin registers for the function redirect_pattern_actions() to be accessible to even those not logged in to WordPress: [Read more]

28 Mar 2023

Privilege Escalation Vulnerability in Razorpay for WooCommerce

Yesterday, the WordPress plugin Razorpay for WooCommerce was closed on the WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 70,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it contains what appears to be a very serious vulnerability.

The plugin registers four functions to be accessible through an admin post request by anyone logged in to WordPress: [Read more]