Login

Tag Archives: Cross-Site Scripting (XSS)

15 Apr 2022

Vulnerability Details: Cross-Site Scripting (XSS) in MalCare WordPress Security Plugin

Patchstack claimed there had been an authenticated cross-site scripting (XSS) vulnerability in the WordPress plugin MalCare WordPress Security Plugin. Almost no information was provided, but it is claimed that “Possible only with admin authentication.” That sounds like it there wouldn’t be a vulnerability, but we found that there was really an issue, though exploitation would have required special circumstances.

[Read more]

5 Oct 2017

Arbitrary File Viewing Vulnerability in WP Post Popup

Back in August through our proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins we found that the plugin WP Post Popup contained an arbitrary file viewing vulnerability. That was subsequently fixed. Through that same monitoring we found that the vulnerability had returned to the plugin.

The only difference from last time is that file the vulnerability was now in is named /public/partials/wp-post-modal-public-proxy.php. [Read more]

11 Aug 2017

Arbitrary File Viewing Vulnerability in WP Post Popup

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. For the first time we have found an arbitrary file viewing vulnerability through this, which is  a type of vulnerability that is up there with the most likely to have exploit attempts. What is concerning about the vulnerability we found in the plugin WP Post Popup is how obvious the issue is and yet it had yet to be noticed.

In the file /public/includes/proxy.php the first code was: [Read more]