22 Mar

WordPress Plugin Developers and Users Should Be Proactive, Not Reactive, About the Security of Them

This week the WordPress plugins Easy WP SMTP and Social Warfare had vulnerabilities, which have now been fixed, widely exploited. In both cases the vulnerabilities were not due to obscure issues that no one had ever heard of before, but they were due to the failure to do security basics. In the case of both plugins, even after having vulnerabilities  exploited, the developers still haven’t fully fixed up the security of the code related the vulnerabilities (and the WordPress team has allowed them to remain in the Plugin Directory despite that).

[Read more]

22 Mar

Not Really a WordPress Plugin Vulnerability, Week of March 22

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

[Read more]

20 Mar

WordPress Support Forum Moderator Jan Dembowski Falsely Claims That No One Figures Out What Versions of Plugins Are Vulnerable

When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up,  one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:

[Read more]

19 Mar

Other WordPress Plugin Vulnerability Data Sources Still Not Warning About Fixed or Unfixed Vulnerabilities in Easy WP SMTP

Today we have had a lot of traffic coming to our website to our posts about the vulnerabilities fixed and unfixed in the plugin Easy WP SMTP. The likely explanation is what else we have been seeing today, as in terms of dealing with the cleanup of hacked WordPress websites over at our main business and other mentions of hacked websites, we are seeing indications that the option update vulnerability that was fixed with that and possibly the other recently fixed option update vulnerability impacting many plugins are being exploited widely to change the WordPress option “siteurl” on websites to cause requests to be made to “getmyfreetraffic.com” (based on past experience with this type of vulnerability that likely isn’t the only thing the hackers are doing with the vulnerabilities on those websites).

[Read more]

18 Mar

Missed Vulnerabilities in Easy WP SMTP Show Why Checking Over Security Fixes is Important

One of the things that we do to make sure we are providing our customers with the best data on vulnerabilities in WordPress plugins they might be using is that we monitor the changelog for plugins to spot the possibility that vulnerabilities have been fixed and then we try to figure if the changes actually involve a vulnerability. In doing that we have often found that vulnerabilities have only been partially fixed or haven’t been fixed at all. That is the case with the plugin Easy WP SMTP, which has 300,000+ active installations according to wordpress.org, where we reviewed the changes made before the discoverer had put out a post on the vulnerabilities.

[Read more]

18 Mar

Vulnerability Details: Option Update Vulnerability in Easy WP SMTP

This post provides the details of a vulnerability in the WordPress plugin Easy WP SMTP not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

18 Mar

Vulnerability Details: Information Disclosure in Easy WP SMTP

This post provides the details of a vulnerability in the WordPress plugin Easy WP SMTP not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

18 Mar

Vulnerability Details: PHP Object Injection in Easy WP SMTP

This post provides the details of a vulnerability in the WordPress plugin Easy WP SMTP not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

18 Mar

Vulnerability Details: Information Disclosure in Easy WP SMTP

This post provides the details of a vulnerability in the WordPress plugin Easy WP SMTP not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]