Login

Tag Archives: Information Disclosure

14 Oct 2019

Vulnerability Details: Information Disclosure in Sliced Invoices

The plugin Sliced Invoices was closed on the Plugin Directory on October 8. No reason has been given for the closure. Subsequent to that a new version was submitted with a changelog entry “SECURITY UPDATE: security updates per wordpress requirements”. Looking at the changes made we found that security checks were added with various functionality. That includes an information disclosure vulnerability that would permit anyone to view all the quotes and invoices created with the plugin.

[Read more]

3 Oct 2019

Vulnerability Details: Information Disclosure in Easy Digital Downloads

The changelog for the latest version of Easy Digital Downloads is “Security Fix: Prevent an authentication bypass to the EDD REST API when no API keys exist.” That sounded like a vulnerability recently fixed in another plugin and as it turned that is because they shared the same code. Looking at the changes made in that version confirmed that the issue was due to what Wordfence had found to be at issue with the plugin Give (GiveWP) recently, which is that you could access the API without needed to have a valid API key as intended. In Easy Digital Downloads that “provides easy access to sales and product information in either jSON or XML format”.

[Read more]

20 Sep 2019

Vulnerability Details: Information Disclosure in Export Users to CSV

The latest version of the plugin Export Users to CSV doesn’t have a changelog, which it turns out is not the only issue with it. The Subversion commit for the new version does have a log entry and that is “Security Updates”.  Looking at the changes made in that version we found that previously the plugin saved files with the WordPress users data in a way that an attacker might be able to access.

[Read more]

12 Aug 2019

Vulnerability Details: Information Disclosure in Ninja Forms

One of the changelog entries for the latest version of Ninja Forms is headlined “Security” and says “Removed an outdated template that was localizing a couple server variables.” Looking at the changes made the only thing that we can see that seems to match that is the removal of the following code from the function output_templates() in the file /includes/Display/Render.php:

[Read more]

1 Aug 2019

Vulnerability Details: Information Disclosure in WP Shopify

The changelog for the latest version of the plugin WP Shopify seemed concerning as it stated “Important security patch” and “If you’re currently on version 2.0 or later, please update as soon as possible”. In looking at the changes made in the new version we first noticed what looked to be a vulnerability that wasn’t fixed (more on that in our next post) and when we started looking in to that we realized what the fixed vulnerability was. Through code registered to run the WordPress’ REST API even those not logged in to WordPress could gain access to the API credentials for a Shopify store.

[Read more]

26 Jun 2019

Vulnerability Details: Privilege Escalation in WebP Converter for Media

As plugins’ usage of the WordPress’ REST API increases security issues related to that are increasing. The recently introduced plugin WebP Converter for Media is another example of that. One of the changelog entries for a recent version of that is “Securing access to REST API”. Looking at the changes made in that we found that there were checks added to restrict access to the plugin’s REST API functionality and that previously anyone could access them. It looks like those would allow getting a list of image files in the WordPress media library and converting images files stored with that to the WebP format.

[Read more]

16 May 2019

GDPR Functionality in WordPress Plugin WP Live Chat Support Allows Anyone to Download Contents of Chats Handled Through It

Yesterday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) in the plugin WP Live Chat Support, which was also fixed yesterday. That vulnerability is likely to be exploited soon. As we started looking over things while adding the vulnerabilities to our data set yesterday, so we could warn the customers of our service if they are using an impacted versions, we found that there are multiple additional security issues caused in part the same security issue that was partially fixed (yes, even the vulnerability fixed, was only actually partially fixed). There is, for example, another setting change vulnerability, though one that doesn’t look to lead to a more serious vulnerability. What stood out more for the seriousness, but also what type of functionality the vulnerability is in, is an information disclosure vulnerability that exposes chat logs and meta data related to those chats to anyone, which occurs through General Data Protection Regulation (GDPR) functionality. So functionality related to data protection does the opposite.

The GDPR functionality already was implicated in two vulnerabilities, based on the changelog entries for previous versions of the plugin: [Read more]

15 May 2019

Information Disclosure Vulnerability in FV Player (FV Flowplayer Video Player)

Earlier today we noted a security company putting out inaccurate information on vulnerabilities in a WordPress plugin. That isn’t uncommon, as while looking into who might have discovered a recent vulnerability we found NinTechNet suggesting updating the plugin, FV Player (FV Flowplayer Video Player), to version 7.3.13.727:

WordPress “FV Flowplayer Video Player” plugin (40,000+ active installations) fixed XSS vulnerability. Update to v7.3.13.727. [Read more]

22 Apr 2019

Vulnerability Details: Information Disclosure in A2 Optimized WP

Several days after version 2.0.10.9 of the plugin A2 Optimized WP was released the developer added the changelog for it “Fixes security issue that may expose wp-config.php contents” and an upgrade notice, “Important security update”. Please upgrade immediately.” Looking at the changes made we found that the changelog entry accurately reflected what is at issue.

[Read more]