If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during December (and what you have been missing out on if you haven’t signed up yet): [Read more]
While looking into what hackers might be targeting plugin Sharexy, we took a look at what appeared to be related request to see if a file that previously had existed in the plugin Gallery by BestWebSoft was on our website. The file requested was /wp-content/plugins/gallery-plugin/upload/php.php, which has been claimed to have an arbitrary file upload vulnerability as of version 3.06. Though at least by our definition that isn’t true because the extension of the files that could be uploaded through that file is limited.
The file /upload/php.php defines what extension uploaded files can have with the following line: [Read more]
Last Thursday we notified the developer of the plugin Contact Form by BestWebSoft of the results of our security review of their plugin (the plugin was chosen by our customer to receive a review from us). One of the issues we noticed was reflected cross-site scripting (XSS) vulnerability, which we also found existed in 40 other of their plugins due to the code that caused the vulnerability being shared among the plugins.
While preparing the data on the vulnerability in those plugins to add to our data set once we disclosed the vulnerability we noticed that the same issue had been fixed in 12 other plugins by the developer as of the day we notified them, so we figured that we were not the only ones that had noticed this vulnerability. Today a company named DefenseCode put out a report on the vulnerabilities (PDF), in which they state they notified the developer of the vulnerability on March 24. In their report the response from the developer states they were already aware of the issue before even then: [Read more]