06 Dec

Our Improved Proactive Monitoring Has Now Caught a Local File Inclusion (LFI) Vulnerability As Well

As we have noted already this week, we have just made a major improvement to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues. Again it has identified a fairly serious vulnerability, this time a local file inclusion (LFI) vulnerability in the plugin WP Payeezy Pay. This vulnerability has gone unnoticed for over two years.

[Read more]

01 Oct

It’s No Wonder Security Is In Such Bad Shape When the Security Community Doesn’t Understand the Basics of Vulnerability Types

One of the things that you get when using our data on vulnerabilities in WordPress plugins either through our long time service or our new newsletters instead of trying to do things on your own or using lower quality data sources, is that we actually check over the reports and provide an accurate information on them. For a fair amount of reports the original discloser has provided inaccurate information about the vulnerability (or there isn’t even a vulnerability).

[Read more]

22 Nov

Our WordPress Plugin Security Checker Identified a Fairly Serious Vulnerability in a Plugin by MailChimp

Recently we introduced a tool to do limited automated security checks of WordPress plugins in the Plugin Directory (and more recently expanded it to check plugins not in the directory). As part of improving that we have been logging any issues identified by the tool in plugins in the Plugin Directory (we don’t log the results for other plugins) and checking some of those to see how well the tool is in identifying real issues.

[Read more]

30 Oct

Vulnerability Details: Local File Inclusion (LFI) Vulnerability in PluginOps Page Builder

This post provides the details of a vulnerability in the WordPress plugin PluginOps Page Builder not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

26 Apr

Vulnerability Details: Local File Inclusion (LFI) Vulnerability in Booking Calendar

This post provides the details of a vulnerability in the WordPress plugin Booking Calendar not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

06 Apr

Vulnerability Details: Authenticated Local File Inclusion (LFI) Vulnerability in WordPress Ad Widget

This post provides the details of a vulnerability in a WordPress plugin not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

28 Oct

Local File Inclusion (LFI) Vulnerability in Simple Ads Manager

In a previous post we looked at a local file inclusion (LFI) vulnerability in the plugin SAM Pro (Free Edition), since that is described as successor to Simple Ads Manager (the plugin is currently removed from the Plugin Directory) we took a look to see if it also had the same vulnerability. As it turned out the plugin was not really vulnerable until the same change made to try to fix the issue in SAM Pro (Free Edition), was made to this plugin.

[Read more]

28 Oct

Local File Inclusion (LFI) Vulnerability in SAM Pro (Free Edition)

One of the reasons that we provide the details of vulnerabilities that we discover is because we have seen from our own experience (and others) that when reviewing those details you will often notice that the vulnerability has not been fully fixed or that there are additional related vulnerabilities. When those details don’t get released, then those issues can remain in the plugin, as something we just looked into shows.

[Read more]

20 Oct

Local File Inclusion (LFI) Vulnerability in InPost Gallery

One of the ways we keep track of vulnerabilities in WordPress plugins to provide our customers with the best data is by monitoring our websites for apparent activity by hackers. We recently had a request for a file from the plugin InPost Gallery, /wp-content/plugins/inpost-gallery/js/front.js. We don’t have that plugin installed on the website, so the request would likely be from someone probing for usage of the plugin. In looking over the plugin for something that hackers might target, we found a couple of vulnerabilities and some additional security issues. We are not sure if either of the vulnerabilities we found are are what the hacker was looking for or if there is still some other issue lurking in the plugin.

[Read more]

14 Jul

Local File Inclusion (LFI) Vulnerability in MailPress

One of the things we do to protect our customers from vulnerabilities in WordPress plugins is to monitor our websites for activity indicating that someone is looking to exploit a vulnerability in a plugin. That recently has been allowing us to detect quite a few serious vulnerabilities that it looks like no one else is spotting, so our service is the only one that actual provides you any warning and therefore any protection against them until they are fixed.

[Read more]