Yesterday, we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Email Capture. Looking at the latest version we found a number of places where the code was insecure, but nothing that looked a vulnerability that a hacker would exploit. One of the recent versions of the plugin had changelog that might explain a hacker’s interest:
…
The recent version 3.6.26 of the WordPress plugin Ninja Forms includes what the developer describes as a number of “security enhancements”. One of those being “[p]revent unauthorized download of submission”. That sounds less like an enhancement and more of a vulnerability. We confirmed it was a vulnerability and that it had been incompletely fixed.
Looking at the changes made in that version, we found that this appeared to relate to legacy functionality that still exists in the plugin despite not normally being used. [Read more]
The changelog for the latest version of the WordPress plugin User Activity Log strongly suggested that a SQL injection vulnerability had been fixed:
…
Recently Patchstack very vaguely claimed that there is an unfixed vulnerability in the WordPress plugin Link Whisper Free. We really mean very vaguely, as the only information provided about the claimed vulnerability is that involves a “broken access control” and it doesn’t require authentication. They claimed that they received no reply from the author about the issue.
…
Recently we had a hacker looking for a file that would appear to be connected to the WordPress plugin MC4WP: Mailchimp for WordPress on one of our websites:
…
One of the changelog entries for the latest version of the WordPress plugin Popup Maker is:
…
A recent version of the WordPress plugin Download Monitor had a changelog that indicated that a security vulnerability might have been fixed, “Fix: Security fix”. Looking at the changes made seemed to show that the developer might have been improperly fixing a vulnerability and further checking confirmed that was the case.
…
A recent support forum topic for the WordPress plugin Cost Calculator Builder made a claim that there was an information disclosure vulnerability in the plugin:
…
Two days ago, on the support forum for the WordPress plugin Ultimate Member there was a report posted on an authenticated information disclosure vulnerability in the plugin:
…
Last week the 1+ million install WordPress plugin Ninja Forms fixed what appears to have been zero-day vulnerability involving its merge tags functionality. As part of thoroughly reviewing that, as at least one of our customers uses the plugin, we found that functionality is still vulnerable.
The developer describes that functionality this way: [Read more]