Login

Tag Archives: Information Disclosure

12 May 2025

WordPress and Security Providers Fail to Make Sure All Plugins Containing Known Vulnerability Have Been Addressed

During the weekend an apparent hacker made multiple requests on our website for a file that would be located at /wp-content/plugins/google-listings-and-ads/vendor/googleads/google-ads-php/scripts/print_php_information.php. That would be a file that would be part of the Google for WooCommerce, which is developed by the company from the head of WordPress, Automattic. That file turned out to be in two other plugins, one of which is still vulnerable and still in the WordPress Plugin Directory. Something that WordPress and other WordPress security providers have missed. It also is still in the library from Google that it is originally from.

The file doesn’t exist in the current version of Google for WooCommerce. It was removed from the plugin in version 2.8.7, which was released on November 14. In the changelog, that change was described as “Fix – Remove a Google Ads API vendor file that prints php information.” The contents of the file before that were: [Read more]

27 Jun 2024

Vulnerability in WordPress Software Bill of Materials (SBOM) Plugin Allows Anyone Access to SBOM for Website

A software bill of materials (SBOM) is used to provide information on the software components that make up a larger software system. There has been a lot of focus on them recently as a way to try to better detect and address known vulnerabilities in systems. Generating them often entails using other software. That software could, in turn, have vulnerabilities. That turns out to be the case with a WordPress plugin we just we checked over.

While looking to see if there was an existing solution for generating SBOMs for WordPress websites, we ran across WpBom, which has been available on the WordPress plugin directory since December 2021. It appears it hasn’t gotten a security review, as there is a fairly serious vulnerability. It turns out that anyone can access to the SBOM file it generates, so an attacker could gain additional information on the software on the website. It could be worse, in July of last year, we found that a very popular security plugin was disclosing the vulnerabilities that were known to exist in software on the website. [Read more]

25 Jun 2024

WooCommerce is Exposing Private Product Information Through Store API

While looking into something related to the now discontinued WooCommerce Blocks plugin from Automattic, we noticed what appeared to be a vulnerability in that. That plugin has long been incorporated into the main WooCommerce plugin and we confirmed the vulnerability exists in the latest version of that plugin. The vulnerability exposes information that isn’t meant to be public about WooCommerce products through the WooCommerce Store API. There are possibly more issues related to that API, as we have only looked into this specific issue so far.

According to the Store API Guiding principles, private data shouldn’t be provided through the API (emphasis theirs): “Store data such as settings (for example, store currency) is permitted in responses, but private or sensitive data must be avoided.” Despite that statement, it doesn’t appear that some basic security reviewing has been done on the code. And it hasn’t been done in years, as the vulnerable code dates back four years. More thoroughly reviewing that needs to be done by Automattic. [Read more]

15 Feb 2024

Information Disclosure Vulnerability in Manage Notification E-mails

One of the changelog entries for the latest version of the WordPress plugin Manage Notification E-mails is “FIXED: Medium vulnerability in settings module. Thanks to Wordfence for reporting this.” Looking at the changes made in that version, we found that the new version restricted access to exporting the plugin’s settings to users with the manage_options capability, so Administrators. Previously even those not logged in to WordPress could do that, as the proof of concept below confirms.

[Read more]

16 Jan 2024

Contact Form 7 Extension For Mailchimp Contains Multiple Vulnerabilities

On Friday, the WordPress plugin Contact Form 7 Extension For Mailchimp, one of the 1,000 most popular plugins on the WordPress plugin directory was closed. That plugin has 90,000+ installs. No reason has been given for the closure. There is a recent claim that the plugin contains an unfixed vulnerability, but there is a complete lack of details provided for anyone trying to verify that (no surprise considering the source, Patchstack). In quickly checking over the plugin, we found it contains multiple vulnerabilities caused by a lack of basic security. We would recommend against using the plugin unless a thorough security review has been done and all issues have been fixed.

On Sunday, the developer released a new version, with the changelog reading “Addressed security reports and performed a full security check.” Despite that, none of the issues mentioned below, which we had noticed before that change, have been resolved. [Read more]

4 Dec 2023

WordPress Download Manager Plugin Exposed Passwords, Still Is Storing Plaintext Passwords

Developers of WordPress plugins are not always open about fixing security issues in their plugins. That seems to be the case with the latest release of the 100,000+ install Download Manager plugin. The changelog for that hints that there might have been a security issue fixed, as it reads “fixed an issue with the password validation for password-protected files.” As at least one of our customers is using the plugin, we checked over that to see if there was something we should be warning about and, if so, to make sure it was fixed. We found that a security issue was addressed, though, there is another underlying issue that still hasn’t been addressed.

In the plugin’s file /src/Package/PackageLocks.php, a single line of code was removed in the new version: [Read more]

20 Nov 2023

Latest Version of 2+ Million Install MC4WP: Mailchimp for WordPress Fixes Minor Security Issue

Today an update was released for the 2+ million active installation WordPress plugin MC4WP: Mailchimp for WordPress, which suggests that a security change had been made, as it reads “Forms: Don’t show form preview to users without edit_posts capability.”. As at least one of our customers is using the plugin, we checked in on that and found that there was a minor security issue addressed.

As suggested by the changelog, the update did add a check to restrict access to seeing a preview of a form from the plugin to those with the edit_posts capability. Prior to that, anyone could see the preview, including those not logged in to WordPress. Unless there is information included in a form that isn’t meant to be seen by everyone, there wouldn’t be a security risk in that. [Read more]

28 Sep 2023

Hacker Targeted WordPress Plugin Booking Calendar Contains Vulnerability That Exposes Customer Data

On one of our websites and in third-party data we monitor, we saw what appeared to be a hacker probing for usage the WordPress plugin Booking Calendar today. In the past year, there was a serious vulnerability fixed in the plugin and lesser security issues fixed in the plugin. Those could possibly explain a hacker’s interest in the plugin, especially the serious vulnerability fixed. To make sure there wasn’t something still in the plugin that might be targeted, we did a quick check of the plugin for security issues that are commonly targeted by hackers. What we found was that the plugin still lacks basic security and that at least allows a hacker to easily gain access to all the customer data submitted through the plugin.

We would recommend avoiding the plugin unless a thorough security review, like the ones we do, is done and all the issues found are addressed. [Read more]