20 Oct

Just Because a WordPress Plugin is Popular, It Doesn’t Mean It is Secure

Earlier this week we discussed an incorrect belief that WordPress plugins that are monetized will have any discovered security issues quickly fixed, which led to the suggestion that you should only use monetized plugins. That is far from the only time we have seen advice on choosing plugins to use with an emphasis on security [Read more]

20 Oct

Authenticated Information Disclosure Vulnerability in Duplicate Page

We recently went to a take a look at the details of a reflected cross-site scripting (XSS) vulnerability that had been disclosed in the plugin Duplicate Page we noticed that it also had a cross-site request forgery (CSRF) vulnerability. After that we remember that a similar plugin Duplicate Post had previously had a vulnerability that allowed [Read more]

20 Oct

Cross-Site Request Forgery (CSRF) Vulnerability in Duplicate Page

While looking into the details of a reflected cross-site scripting (XSS) vulnerability in the plugin Duplicate Page we noticed that there was no protection against cross-site request forgery (CSRF) when using the plugin’s functionality, duplicating a post or page. As of version 2.3 the URLs for the duplication looks like this: /wp-admin/admin.php?action=dt_duplicate_post_as_draft&post=1 If there was protection [Read more]

20 Oct

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Duplicate Page

Recently the security scanner service Detectify seems to have disclosed a number of unfixed reflected cross-site scripting (XSS) vulnerabilities in WordPress plugins that the developers may not have been notified of. We are still in the process of going through those, but so far we found that not only had some of the developers not been [Read more]