25 Feb

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) in File Manager

This post provides the details of a vulnerability in the WordPress plugin File Manager not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

22 Feb

Closures of Very Popular WordPress Plugins, Week of February 22

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

[Read more]

20 Feb

Just Closed File Manager WordPress Plugin with 300,000+ Installs Contains Authenticated Remote Code Execution (RCE) Vulnerability

Due to our monitoring for closures of the 1,000 most popular WordPress plugins we were notified that the plugin File Manager (WP File Manager), which has 300,000+ installs, was closed today. That a security vulnerability could have led to it being closed wouldn’t be surprising. That is in part due to one of the other plugins from the same developer, Duplicate Page, which has 700,000+ installs, being publicly known to contain multiple unfixed vulnerabilities for over a year (which no one on the WordPress side of things seems to care about), two of which we disclosed in October of 2017 after the developer didn’t respond to our notification to them of the issues. That is also in part due to the continued poor security of this plugin as well, including that it used to be fundamentally insecure and even when that was fixed it wasn’t fixed properly.

[Read more]

18 Sep

Vulnerability Details: CSRF/XSS Vulnerability in File Manager (WP File Manager)

This post provides the details of a vulnerability in the WordPress plugin File Manager not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

05 Sep

Reflected Cross-Site Scripting (XSS) Vulnerability in File Manager

One of the problems we have found with the WordPress Support Forum is that there is  unproductive and inconsistent deletion of claims about the security of plugins. In an instance from just a couple of days ago a thread was deleted which mentioned an unfixed vulnerability in the plugin File Manager, deleting that doesn’t make much sense to us since it would be easy for someone with bad intentions to do same monitoring that we do and have spotted that thread before it was deleted, while deleting makes it harder for those with good intentions to find out about it. For us seeing it, not only lead to us noticing a related vulnerability in the same code, but it also led to a new check for our Plugin Security Checker to make it easier for similar issues to the one we noticed to be caught and fixed going forward, leading to better security for WordPress plugins, which unfortunately the moderators of the WordPress Support Forum don’t seem to be all that interested in based on the actions they take and their shutting down any conversion about whether those actions are productive.

[Read more]

14 Jun

Vulnerability Details: Authenticated File Manager Access Vulnerability in File Manager

This post provides the details of a vulnerability in the WordPress plugin File Manager not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]