Tag Archives: Cross-Site Request Forgery (CSRF)/Arbitrary File Upload

16 Jan 2024

Did ChatGPT Write This Severely Vulnerable Code Added to the Sage AI Content Writer WordPress Plugin?

A lot has been made about the possible security risk with code created by ChatGPT whether in WordPress plugins or otherwise. A more pedestrian risk is that WordPress plugins that interact with that are themselves insecure, whether written by ChatGPT or not. On Friday, we found one of those had just added extremely vulnerable code that hackers would exploit. Another plugin added slightly less vulnerable code over the weekend.

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught such a vulnerability being added to Sage AI Content Writer. The vulnerability, an authenticated arbitrary file upload vulnerability, which, as the name suggests, allows someone logged in to WordPress to upload arbitrary files to the website. An attacker could upload a .php file with malicious code and takeover the website. [Read more]

30 Oct 2023

Hacker Appears to Wrongly Target WordPress Plugin Based on Patchstack’s Inaccurate Info on Vulnerability

On Saturday, a hacker was widely probing for usage of the WordPress plugin Thumbnail Slider With Lightbox. That was somewhat odd, as the plugin only has 1,000+ installs according to WordPress and in our data set of claimed vulnerabilities in the plugin, there were only claims of really minor vulnerabilities. So what explained their interest?

One thing that is abundantly clear based on monitoring we do is that hackers are focusing a lot on trying to exploit vulnerabilities highlighted by data providers we compete with. There is a sometimes uncomfortable relationship between these providers and hackers. For example, one of them is willing to sell information to hackers about vulnerabilities before they notify developers. [Read more]

9 Oct 2023

Another Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed Exploitable Vulnerability

On Friday, we saw a hacker probing for usage of the WordPress plugin Dropshipping & Affiliation with Amazon across our websites and other websites. As part of keeping track of vulnerabilities in WordPress plugins for our service, we needed to try to figure out what explained that interest. What we found was alarming, though unsurprising. Three days before that the WordPress security provider Patchstack had vaguely claimed the latest version of the plugin contained a fairly serious vulnerability. And yet as of writing, the vulnerable plugin still is available in the WordPress Plugin Directory. So something clearly has gone wrong here. And not for the first time, even very recently.

As with another recent instance of an unfixed vulnerability likely being targeted, it wouldn’t be hard for WordPress to release a fix to stop exploitation. That is something we have offered for years to help them with. They haven’t taken up our offer of help or dealt with it on their own. [Read more]

12 Jun 2023

Hackers Likely Trying to Exploit This Partially Fixed Vulnerability in the WordPress Plugin Download Monitor

In the past few days we have seen what appear to be at least two hackers probing for usage of the WordPress plugin Download Monitor, which has 100,000+ installs. In looking into what might explain that, we found that there was a vulnerability that hackers would try to exploit that was partially fixed shortly before the probing started. Thankfully, there are some important limitations to it being exploitable.

The changelog for a recent version of the plugin had a concerning entry: [Read more]

18 May 2022

Hacker Probably Targeting This Authenticated Arbitrary File Upload Vulnerability in WP ERP

Earlier this week Wordfence got press coverage for a situation where they were obliquely admitting they were way behind hackers. As they were claiming to have started seeing attacks against a vulnerability in a WordPress plugin on May 10, while publicly available data from the website abuseipdb.com was showing attacks at the end of March. On Monday data we monitor from that website showed that what looked to be a hacker probing for usage of the WordPress plugin WP ERP by requesting this file from it:

/wp-content/plugins/erp/readme.txt [Read more]

6 May 2022

WordPress Plugin Page Builder Addons for WPBakery Contains Authenticated Arbitrary File Upload Vulnerability

At the end of March we noticed what looked to be a hacker probing for usage of the plugin Pie Register and found that it contained a vulnerability that hackers would be interested in exploiting, an authenticated arbitrary file upload vulnerability because of insecure code for allowing the installation of WordPress plugins. It also contained several other vulnerabilities.

While working on improvements to our detection system and our firewall plugin related to that type of vulnerability, we found that over a month after that, the developer still hasn’t even attempted to address the vulnerabilities in another of their plugins, Page Builder Addons for WPBakery. [Read more]

2 May 2022

Vulnerability Details: CSRF/Arbitrary File Upload in Whatso

WordPress plugin developers don’t always disclose that they are fixing a vulnerability in their plugin. That is the case with the plugin Whatso, where the changelog entries for the latest version are:

…

[Read more]

28 Mar 2022

WordPress Plugin Targeted by Hacker Contains Authenticated Arbitrary File Upload Vulnerability

The WordPress plugin Pie Register has had many vulnerabilities discovered in over the years, including multiple serious vulnerabilities that you would expect hackers to try to exploit. Despite that, WordPress states it has 5,000 active installs, so continued insecurity doesn’t appear to discourage people from using a plugin (though thankfully, none of the customers of our main service are currently using the plugin).

Over the weekend, we had what look to be a hacker probing for usage of the plugin on this website with a request for the following file: [Read more]

26 Jan 2022

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Another Brand New WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in another brand new plugin, VIRTUAL HDM FOR TAXSERVICE AM. We found another of these in a brand new plugin less than two weeks ago.

The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]

13 Jan 2022

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in a Brand New WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in the brand new plugin Vossle.

The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.