Wordfence has a history of missing parts of vulnerabilities and the situation with the WordPress plugin MetForm is no exception. The only details they provided on a claimed vulnerability in the plugin were this:
…
Yesterday, the WordPress plugin Contact Form Submissions was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 50,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. We actually already were warning our customers, as the plugin still has an unfixed vulnerability we found the last time it was closed. Looking for anything else, we found that some of the code in the plugin isn’t properly secured, though not in a way that looks to normally lead to a vulnerability. What we already knew about was a recent claim of a security issue in the plugin, which we hadn’t yet fully reviewed.
…
The most recent version of the WordPress plugin Product Table for WooCommerce had a very important security fix, though you wouldn’t know that by looking at the changelog for that version, as there isn’t one. Those relying on a couple of our competitors, WPScan and Patchstack, wouldn’t have a full understanding of that either, as they somehow managed to miss the full scope of a vulnerability being addressed.
Based on what we saw while reviewing the change being made, there was reason to believe there could be additional security issues in the plugin. We have confirmed that is the case and we would recommend not using the plugin, unless it has thorough security review and all issues are addressed. [Read more]
Back in September we discussed a situation where the developer of the WordPress plugin Ninja Forms had disclosed an unfixed vulnerability in their plugin, by including a fix in the Subversion repository that underlies WordPress’ plugin directory, but not making that available for normal download. That has happened again.
…
While determining what versions of the plugin Accept Stripe Payments contained a vulnerability, we found the plugin had also contained information disclosure vulnerability.
…
An information disclosure vulnerability in the WordPress plugin WP Import Export Lite credited to be discovered by Karan Saini is described by Wordfence this way:
…
As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website on Saturday for the plugin WooCommerce Stock Manager by requesting this file:
/wp-content/plugins/woocommerce-stock-manager/readme.txt [Read more]
The changelog for the latest release of the WordPress plugin Backup Migration indicates that there was security improvement:
Added secret keys for restore process – should be much more secure now [Read more]
The plugin Gallery Bank was closed on the Plugin Directory on Monday. Earlier today a new version of the plugin was submitted with the changelog “FIX: FTP Exploit Fixed”, which sounds unusual since normally plugins wouldn’t have anything to do with FTP unless they are making request via FTP to another server. Looking at the changes made and the old version of the plugin, we found this involved an “Upload from FTP” feature, though part of it is only available in a premium version of the plugin. What is available in the free version looks to have been vulnerable in that Author level users and above could view the names of subdirectories of arbitrary directories on the website.
…
When it comes to insecure code in WordPress plugins, beyond insecure code written by the developers, we often find that the developers have included code created by others without reviewing its security first (that even has been the case with popular security plugins). Recently multiple security issues were fixed in the plugin Sliced Invoices, while looking into that we found that plugin Tradies has copied a significant amount of code from that plugin and still contains those vulnerabilities, so significant that if you try to activate Tradies with Sliced Invoices already activated (or vice versa) it won’t work because a class name is reused. While that is permitted by the GPL, there isn’t a copyright statement indicating the source of the code (which isn’t the first time we have seen that done with copied code).
As an example of the insecure code copied, let’s take a look at the code to handle exporting the plugin’s quotes and invoices. [Read more]