27 Feb

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) in Better Search Replace

This Vulnerability Details post about a vulnerability in the plugin Better Search Replace provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a [Read more]

25 Feb

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) in File Manager

This Vulnerability Details post about a vulnerability in the plugin File Manager provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, [Read more]

14 Jan

Our Proactive Monitoring Caught an Authenticated Local File Inclusion (LFI) Vulnerability in Shortcode Factory

Recently we added checks for possible local file inclusion (LFI) vulnerabilities to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins and considering the state of security of WordPress plugins in probably isn’t surprising we already caught another vulnerability of that type. Specifically [Read more]

10 Jan

WordPress Plugin Developers Don’t Do a Good Job of Making Sure There Plugins Are Free of Vulnerabilities They Know of

Our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins recently caught a good example of an ongoing problem we see when it comes to the developers of WordPress plugins, a failure to make sure that security vulnerabilities that have been in their plugins [Read more]

01 Oct

Full Disclosure of CSRF/LFI Vulnerability In Plugin With 30,000+ Active Installs

The description of the plugin Companion Auto Update, which has 30,000+ active installations according to wordpress.org, starts with the message: KEEP YOUR WEBSITE SAFE! But the plugin itself introduces a cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability, as we found while doing some checking of the 1,000 most popular plugins in the Plugin Directory against [Read more]

19 Jun

Authenticated Local File Inclusion (LFI) Vulnerability in ChimpMate

In seeking to continue to improve our Plugin Security Checker, which does automated checks to try spot potential security issues in WordPress plugins, we log the results of checks of plugins in the Plugin Directory. The plugin ChimpMate was recently run through that and one of the issues identified in that was a possible local file [Read more]

30 Oct

Authenticated Local File Inclusion (LFI) Vulnerability in PluginOps Page Builder

As we discussed in a previous post, while reviewing the changes in a recent version of the plugin PluginOps Page Builder we found that a local file inclusion version vulnerability had recently been fixed in the plugin. In looking over the changes that fixed that, we found that there was still a limited authenticated local file [Read more]