One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a local file inclusion (LFI) vulnerability being added in to the plugin Sina Extension for Elementor.
One of the things we do during security reviews of WordPress plugins is to check if .php files that are not intended to be directly accessed are protected against direct access of them. The lack of that usually makes no difference, but it is an easy way to avoid or limit vulnerabilities, like the local file inclusion (LFI) vulnerability our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Revamp CRM for WooCommerce.
As we have noted already this week, we have just made a major improvement to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues. Again it has identified a fairly serious vulnerability, this time a local file inclusion (LFI) vulnerability in the plugin WP Payeezy Pay. This vulnerability has gone unnoticed for over two years.
This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it would already have notified you of this possible issue if you had check the plugin. [Read more]
One of the things that you get when using our data on vulnerabilities in WordPress plugins either through our long time service or our new newsletters instead of trying to do things on your own or using lower quality data sources, is that we actually check over the reports and provide an accurate information on them. For a fair amount of reports the original discloser has provided inaccurate information about the vulnerability (or there isn’t even a vulnerability).
One area we see a lot of confusion, whether it be with members of the security community or hackers is with arbitrary file viewing and local file inclusion (LFI) vulnerabilities. A recent example where things got quite mixed up and where other data sources would have lead you astray involved two vulnerabilities disclosed by Manuel Garcia Cardenas a couple of weeks ago. [Read more]
Recently we introduced a tool to do limited automated security checks of WordPress plugins in the Plugin Directory (and more recently expanded it to check plugins not in the directory). As part of improving that we have been logging any issues identified by the tool in plugins in the Plugin Directory (we don’t log the results for other plugins) and checking some of those to see how well the tool is in identifying real issues.
In one instance, which we will be describing in more detail once the developer has had a chance to fix the vulnerability, we found that a possible issue identified by the tool turned out to not be an issue, but it did indicate a general poor handling of security within the plugin and we then found the plugin has a fairly serious vulnerability. In another instance the tool identified a pretty serious issue in a plugin. [Read more]
This post provides the details of a vulnerability in the WordPress plugin PluginOps Page Builder not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
This post provides the details of a vulnerability in the WordPress plugin Booking Calendar not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
This post provides the details of a vulnerability in the WordPress plugin WordPress Ad Widget not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
In a previous post we looked at a local file inclusion (LFI) vulnerability in the plugin SAM Pro (Free Edition), since that is described as successor to Simple Ads Manager (the plugin is currently removed from the Plugin Directory) we took a look to see if it also had the same vulnerability. As it turned out the plugin was not really vulnerable until the same change made to try to fix the issue in SAM Pro (Free Edition), was made to this plugin.
In the prior version, 220.127.116.11, you can see that the file to be included was not user specified (as seen in the file /sam-ajax-admin.php): [Read more]
One of the reasons that we provide the details of vulnerabilities that we discover is because we have seen from our own experience (and others) that when reviewing those details you will often notice that the vulnerability has not been fully fixed or that there are additional related vulnerabilities. When those details don’t get released, then those issues can remain in the plugin, as something we just looked into shows.
On Wednesday we had a request for a file, /wp-content/plugins/sam-pro-free/js/sam.pro.dialog.js, from the plugin SAM Pro (Free Edition) on one of our websites. Since we don’t have that plugin installed, that would likely be an indication that a hacker is probing for usage of the plugin before exploiting something in it. We didn’t have any vulnerabilities in this plugin in our dataset, so we went looking to see if any had been disclosed. We found a number of pages that all related a Youtube video, Demo Exploiting Sam Pro Free WordPress Plugin LFI to RCE. The video doesn’t really show you anything, so it wasn’t clear if this related to an actual vulnerability or not. Next up was looking over the changelog for the plugin we saw that in version 1.9.55 one the entries was “Possible vulnerability was excluded”. Looking over the changes made between the previous version in the changelog, 18.104.22.168, and that version, there were a number of security related changes made. That included restricting direct access to a number of the files in the plugin, sanitizing some user input, and changes related to the use of a user specified being value used when including a file. [Read more]