22 Aug

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Settings Change in Cache-Control

This post provides the details of a vulnerability in the WordPress plugin Cache-Control not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

24 Jul

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Settings Change in Custom Simple Rss

This post provides the details of a vulnerability in the WordPress plugin Custom Simple Rss not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

15 Jul

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Project Supremacy Lite (Project Supremacy V3 Lite)

As part of making sure we are providing the users of our service with the best information on vulnerabilities in WordPress plugins they may be using we monitor for indications that security vulnerabilities have been fixed in new versions of the plugins. Today that led to us looking at Project Supremacy Lite (Project Supremacy V3 Lite) where the changelog for the latest version is “Added some security fixes.” The changes made in that version look to be escaping the output of the plugin’s settings. Normally the lack of that wouldn’t be a vulnerability because only Administrators are allowed to change the settings and they can do anything they want with WordPress already. When we went to check to see if that was the case with this plugin we found that anyone logged in to WordPress can change the plugin’s settings and one of those settings is intended to be used to place JavaScript code on all of the frontened pages of the website, which would lead to an authenticated persistent cross-site scripting (XSS) vulnerability.

[Read more]

03 Jul

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in Visitors Traffic Real Time Statistics

This post provides the details of a vulnerability in the WordPress plugin Visitors Traffic Real Time Statistics not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

26 Jun

Cross-Site Request Forgery (CSRF)/Settings Change Vulnerability in ACF: Better Search

One of the ways we make sure customers of our service have the best data on vulnerabilities in WordPress plugins they use is that we monitor changes being made to plugins for indications that vulnerabilities have been fixed. We often find that issues haven’t been fully resolved or that there are other related issues still in the plugin. That was the case when we looked into the details of a vulnerability in the plugin WebP Converter for Media, which in part involved a lack of protection against cross-site request forgery (CSRF). What we also noted was another instance of that, which also impacted another more popular plugin by the same developer, ACF: Better Search.

[Read more]

19 Jun

If Facebook’s Handling of the Security of Their WordPress Plugins Is Any Indication, They Don’t Seem Too Concerned About Security

On Monday we discussed that two of Facebook’s plugins for WordPress contained vulnerabilities due to basic security failures (and mentioned in passing that another is also insecure due to the same type of issue). There attempts to resolve the vulnerabilities continued to show a lack of concern and or understanding of security, at least when it comes to WordPress plugins. It also makes you wonder what the people running the WordPress Plugin Directory are up to since they know these plugins were vulnerable and didn’t make sure they were properly fixed.

[Read more]

17 Jun

Facebook’s WordPress Plugin Messenger Customer Chat Contains an Authenticated Settings Change Vulnerability

In our previous post we detailed our running across a vulnerable WordPress plugin made by Facebook with 200,000+ installs, after noticing that we did a quick check to see if any other there other plugins had similar issues. We found that their plugin Messenger Customer Chat, which has 20,000+ installs, contains a similar vulnerability, though in this case the code is even less secure.

[Read more]

13 Jun

Simply Closing a WordPress Plugin With a Vulnerability Likely to Be Exploited Just Leaves Websites Open to Being Hacked

As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. A week ago that led to us running across two plugins with unfixed vulnerabilities. One of those plugins was closed on the WordPress Plugin Directory on May 9. In the past day we had saw a hacker probing for another plugin that was closed on the same day, Real Estate Manager – Property Listing and Agent Management.

[Read more]

07 Jun

Vulnerability Details: CSRF/XSS in Category Specific RSS Menu (Category Specific RSS feed Subscription)

This post provides the details of a vulnerability in the WordPress plugin Category Specific RSS feed Subscription not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]