26 Feb

Hackers Are Probably Already Exploiting This Authenticated Option Update Vulnerability Just Fixed in Freemius

On Sunday we had probing on our website for usage of the plugin¬†WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.

[Read more]

01 Nov

Full Disclosure of Authenticated XSS Vulnerability in WordPress Plugin With 100,000+ Installs

One of the elements of the inappropriate behavior of the moderators of the WordPress Support Forum that has lead us to¬†full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up has been to delete messages about vulnerabilities in WordPress plugins while doing nothing to get them fixed. We don’t know how they think this is a good idea since it just limits getting things fixed, which is what is the important thing to do about vulnerabilities, while not actually hiding the vulnerabilities.

[Read more]