Login

Tag Archives: Cross-Site Request Forgery (CSRF)

24 May 2022

Recently Closed WordPress Plugin with 40,000+ Installs Contains Minor Defacement Vulnerability

Yesterday, the WordPress plugin Shapely Companion was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.

The plugin registers the function shapely_companion_import_content() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]

22 Apr 2022

1+ Million Install WordPress Plugin From Security Plugin Developer WPMU DEV is Lacking Basic Security

Yesterday a new version of the WordPress plugin Smush, which has 1+ milllion active installs according to wordpress.org, with a changelog entry indicating that security fix was being made:

Fix: XSS vulnerability [Read more]

19 Apr 2022

Recently Closed WordPress Plugin with 40,000+ Installs Contains Privilege Escalation Vulnerability

On Monday, the WordPress plugin WP SVG Icons was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.

The plugin registers the function svg_delete_custom_pack_ajax() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]

11 Mar 2022

Security Issues With Accept Stripe Payments WordPress Plugin

Earlier today a topic was created on the WordPress support forum for the plugin Accept Stripe Payments questioning whether there was a security hole in the plugin:

We’ve had hundreds of small fake charges to random people made by our Stripe account. I even got some calls from random people asking why we charged them! This is due to some fraudsters using our Stripe API key for card testing (testing whether a stolen card is valid). [Read more]

3 Mar 2022

Vulnerability Details: Cross-Site Request Forgery (CSRF) in Use Any Font

As often is the case, WPScan recently released a mess of a report of a claimed vulnerability in WordPress plugin Use Any Font. The report both claims that part of the issue exists in versions after it had already been resolved, but also claims the issue has been fixed, despite not being fully resolved. We had warned our customers about the original form of the vulnerability back in 2017.

[Read more]

11 Jan 2022

WordPress Plugin Directory Team Fails to Flag Base64 Encoded Code That Creates Backdoor Account

In 2017 there was a very bad situation where the two people running the WordPress Plugin Directory allowed a plugin containing malicious code to return in to the directory twice, only to have malicious code added again each time. Somehow that situation didn’t lead to a shakeup of the team running that, to address the two problematic people who have long controlled that.

In the third instance, part of the code was obfuscated using bae64 encoding. In the comments on a post on the WP Tavern about the situation, there were a couple of comments noting that should have flagged that code: [Read more]

17 Nov 2021

Vulnerability Details: Cross-Site Request Forgery (CSRF) in Backup Migration

Today a competing a data source on vulnerabilities in WordPress plugins, Patchstack, released a vague disclosure of a claimed vulnerability in the plugin Backup Migration, which has 20,000+ installs. The only information provided is that it is supposed to be an authenticated persistent cross-site scripting (XSS) vulnerability that was fixed in version 1.1.6 of the plugin.

The changelog entry related to that hints that there wasn’t really a vulnerability, as what it describes sounds like a lot of recent claimed vulnerabilities of this type that involve an Administrator being able to do something they are allowed to do: [Read more]

31 Aug 2021

WordPress Plugin with 100,000+ Installs Closed On Plugin Directory Today is Insecure

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in an instances where a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was because of a vulnerability.

Today the plugin qTranslate X, which has 100,000+ installs, was closed. No reason has been given for the closure. While we didn’t find any obvious serious security issues in a quick check, what we did find is that the plugin is insecure and some of that insecurity is hard to follow, so it is possible that it has a more serious issue that is difficult to spot. [Read more]