Login

Tag Archives: Email Subscribers & Newsletters

15 Jul 2019

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in Email Subscribers & Newsletters

One of the changelog entries for the latest version of Email Subscribers & Newsletters is “Fix: Fixed Vulnerability”. Looking at the changes made in that version at first glance, we thought it might be fixing a vulnerability we disclosed in April, but that wasn’t the case. What we subsequently found is that what appears to be an attempt to fix a vulnerability hadn’t been successful, due to two different security failures. While one of those failures would be somewhat understandable normally, the developer markets their plugins with this claim:

[Read more]

11 Apr 2019

100,000+ Install WordPress Plugin Marketed With Claim It Doesn’t Open Security Risks Has Persistent XSS Vulnerability

In monitoring the WordPress Support Forum for indications of vulnerabilities in plugins so that we can warn our customers of any publicly known security issues in plugins they use we have been seeing for sometime complaints about about problems with bogus signups on subscriber lists for newsletter plugins. It isn’t clear what the point of that would be or it is even intentional (if some knows what the explanation for that is please leave a comment). One of those plugins being, Email Subscribers & Newsletters, where someone began a topic seven weeks ago with this:

This plugin has been exploited by bots or scripts that dump a bunch of bogus Russian email addresses into the subscriber list. It was fixed once in a recent version, but was quickly exploited again. Until this is successfully resolved, I could not recommend the plugin because I have to disable it every time it is hacked. [Read more]

1 Feb 2018

What Happened With WordPress Plugin Vulnerabilities in January 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during January (and what you have been missing out on if you haven’t signed up yet): [Read more]