The changelog for the latest version of Easy WP SMTP is “Fixed potential vulnerability in import\export settings.”, which turns out to relate to multiple vulnerabilities. Looking at the changes made in that version we found that as of the previous version even some one not logged in to WordPress could export all of the plugin’s settings, which would include the login details for a SMTP server.
…
The changelog for the latest version of Easy WP SMTP is “Fixed potential vulnerability in import\export settings.”, which turns out to relate to multiple vulnerabilities. Looking at the changes made in that version the first thing we saw was an information disclosure vulnerability that provided anyone access to the debug log for the plugin, though that logging is not enabled by default.
…
The changelog for the latest version of WP Database Backup is “Fixed Vulnerability”. Looking the changes made in that version we found that what was fixed was an information disclosure vulnerability that exposed the access token used when saving backups to Google Drive.
…
In tomorrow’s Not Really a WordPress Plugin Vulnerability post we will be mentioning a number of false reports of vulnerabilities from someone going as “KingSkrupellos from Cyberizm Digital Security”, who doesn’t seem to really understand what they are writing about, but in the case of their claim of a “database backup disclosure vulnerability” in User Spam Remover, they did identify a security issue, though not quite the one they are claiming. While they claim a file generated by the plugin at /wp-content/plugins/user-spam-remover/log/userspamremover.restore.sql is a “database backup”, it actually is a log of any users removed from the plugin, which involves database entries. Since it is intended to contain spam accounts, the value of that information stored in in it would seem to be somewhat limited in most isntances. There is also an activity log by default stored at /wp-content/plugins/user-spam-remover/log/userspamremover.log
…
While looking an option update vulnerability in the plugin Kiwi Social Share we noticed that right above the code for that vulnerability was code that causes another vulnerability. That being an information disclosure vulnerability that allows anyone to view the contents of any WordPress option (setting).
In the file /includes/lib/helpers/class-kiwi-social-share-helper.php the function kiwi_social_share_get_option() is made available through WordPress AJAX functionality whether the request is coming from someone logged in to WordPress or not: [Read more]
Just yesterday we were discussing the problematic behavior of WordPress Support Forum moderators deleting discussions related to a vulnerabilities in plugins. What is of most concern with that is that they often do that while not making sure anything is done about getting the vulnerability fixed, which leaves websites vulnerable in instances where they shouldn’t be. Another reason that is problematic is that information on vulnerabilities can be helpful in finding other security issues in the same plugin or other plugins.
Along those lines while writing up a post with the details of several vulnerabilities that had been fixed the other day in the plugin Contact Form Email we noticed a fairly serious issue still in the plugin. It turns out that anyone can download all of the contact form submissions made through the plugin. According to wordpress.org this plugin has 30,000+ active installations. [Read more]
Yesterday we had a request on this website for a file that would be at /wp-content/plugins/wp-google-drive/gdrive-ajaxs.php, which is a file from the plugin Google Drive for WordPress (wp-google-drive). Just about a month ago we had provided more details on an arbitrary file deletion vulnerability in that plugin, which had been incorrectly labeled by the discoverer, Lenon Leite, as being a remote execution (RCE) vulnerability. When exploiting that vulnerability you would send a request to that particular file, but that type of vulnerability is not one that based on past experience, hackers would likely be interested in exploiting. While hackers’ level of interest in that type of vulnerability could have changed, what seems more likely that is someone was either thinking it was a RCE vulnerability, since those have been likely to be exploited in the past, or there was something else that a hacker realized was exploitable in that plugin that would be of more interest.
In looking at what else was accessible through that file we didn’t see anything that looks like it would be likely to be exploited, but we did notice another vulnerability. [Read more]
Last week we mentioned that we had recently seen what looked to be probing for the usage of the SendinBlue Subscribe Form And WP SMTP and another plugin. That other plugin is Table Maker, which we had been seeing requests for its readme.txt like this: /wp-content/plugins/table-maker/readme.txt. One of the few possible explanations for requests like that is that someone is probing for usage of the plugin to know what websites to exploit through a vulnerability in the plugin.
In SendinBlue we found a SQL injection vulnerability that matches claims of hackers targeting SQL injection vulnerabilities in code whose result is then passed to the unserialize() function. We have yet to see any evidence that the claims are true, but whether they are true or not, it might explain a hacker’s interest (hackers have been known to target vulnerabilities that don’t actually exist). In looking over Table Maker we found several security issues that involve code around a similar issue, but we didn’t find something that would be obvious for a hacker to exploit. If you see some other issues that hackers might be targeting we would love to hear about it. [Read more]
The takeover of popular WordPress plugins and then use of them for nefarious purposes has been a major issue when it comes to the security of WordPress plugins this year. Even if the takeover is not done with malicious purposes in mind, a new developer that doesn’t know what they are doing can take an otherwise relatively secure plugin and in a short time make tens or hundreds of thousands of websites insecure. At least that latter issue is true of the plugin Captcha.
The plugin Captcha has 300,000+ active installations according to WordPress.org, including this website and another of ours. Back in July the plugin was handed over from the previous developer, BestWebSoft, to another entity. Then in September an update to the plugin caused the admin area of our other website using the plugin to not function, we were not alone in that. It was only at that point that BestWebSoft mentioned that ownership had been transferred, though the new developer isn’t named: [Read more]
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
…