30 Jan

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Events Made Easy

Yesterday we disclosed an arbitrary file upload related vulnerability discovered through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities for which the underlying vulnerable code ran despite the user interface for it being disabled. That turns out to not be a one-off issue as our proactive monitoring has also led to us finding an authenticated arbitrary file upload vulnerability in the plugin Events Made Easy where the user interface also appears to be missing. This is a good reminder of the limits of trying to look for vulnerabilities without looking at the underlying code of software.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community. [Read more]

07 Dec

Not Really a WordPress Plugin Vulnerability, Week of December 7

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Database Disclosure Vulnerabilities in ARI Adminer, BackWPup, Batch-Move Posts wp plugin, Caldera Forms, Cart66 Lite, Contact Us Page Builder, Events Made Easy, Exports and Reports, L4 Shopping Cart, Orbis, Paid Memberships Pro, Search Engine, Shopp, WP EasyCart, and WP Editor

Related reports of claimed database disclosure vulnerabilities were released for ARI AdminerBackWPupBatch-Move Posts wp plugin, Caldera FormsCart66 Lite, Contact Us Page BuilderEvents Made EasyExports and ReportsL4 Shopping CartOrbisPaid Memberships Pro, Search EngineShoppWP EasyCart, and WP Editor. While the person behind these reports believes that the file they are listing for each of the plugins is a database backup, in reality they are files that came with the plugins. It hard to understand how they didn’t realize that as the contents are exactly the same for the same plugin file on every website they listed, but they apparently didn’t. [Read more]

17 Sep

Our Proactive Monitoring Caught an Exploitable Vulnerability in Events Made Easy

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That again has lead to us catching a vulnerability of a type that hackers are likely to exploit if they know about it. Since the check used to spot this is also included in our Plugin Security Checker (which is accessible through a WordPress plugin of its own), it is another of reminder of how that can help to indicate which plugins are in greater need of security review (for which we do as part of our main service as well as separately).

In a change made to the plugin Events Made Easy last week, code was added to the plugin that would pass the value of a cookie, “eme_client_time” through the unserialize() function, which could lead to PHP object injection. One of the locations that was added to was in the function eme_client_clock_ajax() in the file /eme_functions.php: [Read more]