The commit message for the latest change made to the WordPress plugin Image Hover Effects is “fixed Vulnerability issue”. As at least one of our customers is using the plugin, we checked over the change made. What we found is that it didn’t appear to fix a vulnerability, but there is a serious vulnerability connected with the code that was being changed.
…
A recent review of the WordPress plugin Pop-up suggested the plugin is insecure:
I tested this plugin, its says its free, i tried to inject code to my site… then i understood if they want they can inject any malicious code to your website by using this plugin… you are clicking launch code on external website, and this plugin will upload a a code to your website based on email address registered on both site. so if you are using sensitive website dont even try this plugin [Read more]
With a claimed persistent cross-site scripting vulnerability in the WordPress plugin WP-Invoice, the proof of concept starts with these steps:
…
Late last week, third-party data we monitor showed what looked to be a hacker probing for usage of a WordPress plugin that handles payment processing for the WooCommerce plugin, ЮKassa для WooCommerce, through requests for this file:
/wp-content/plugins/yookassa/assets/js/yookassa-admin.js [Read more]
A week ago, one of the moderators of the WordPress support forum deleted a topic titled “[Post Snippets] v3.1.3 – Stored Cross-Site Scripting (XSS) vulnerability“. The moderator’s message in deleting that said “Please report vulnerabilities responsibly.” If there was a really a vulnerability being reported, the moderator didn’t make sure it was addressed, as the plugin hasn’t been updated in the past week.
After we got alerted about the deletion message, we looked at the plugin and found that it does at least contain a cross-site scripting (XSS) vulnerability that can be exploited through cross-site request forgery (CSRF). [Read more]
Continuing a trend of WordPress plugin developers claiming that real vulnerabilities are potential or possible vulnerabilities, two recent updates to the plugin Crisp, which had as their Subversion comments “Fix potential XSS issue”, involved fixing a vulnerability. That vulnerability being a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability.
…
Yesterday, the WordPress plugin WP Extra File Types was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a cross-site request forgery (CSRF) vulnerability that can be used to change the plugin’s setting and add malicious JavaScript code to those, which is cross-site scripting (XSS).
The plugin registers a settings page for itself, which calls the function admin_page(): [Read more]
A cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the WordPress plugin Stetic that was credited to have been discovered by “Naoki Ogawa, Cryptography Laboratory in Tokyo Denki University” is described this way:
…
The JVN credits “Ten Katouno of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University” with finding cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite). In looking over the changes made to fix this, we found that the vulnerability could have led to cross-site scripting (XSS).
…
Often times we find that reports of vulnerabilities in WordPress plugins are not accurate, but there is still a vulnerability. That is the case with a claim of cross-site scripting (XSS) vulnerability in WP Symposium Pro.
…