22 Nov

Our WordPress Plugin Security Checker Identified a Fairly Serious Vulnerability in a Plugin by MailChimp

Recently we introduced a tool to do limited automated security checks of WordPress plugins in the Plugin Directory (and more recently expanded it to check plugins not in the directory). As part of improving that we have been logging any issues identified by the tool in plugins in the Plugin Directory (we don’t log the […]

30 Oct

Vulnerability Details: Local File Inclusion (LFI) Vulnerability in PluginOps Page Builder

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. Contrary to what we have seen the WordPress focused security […]

26 Apr

Vulnerability Details: Local File Inclusion (LFI) Vulnerability in Booking Calendar

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed […]

06 Apr

Vulnerability Details: Authenticated Local File Inclusion (LFI) Vulnerability in WordPress Ad Widget

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases […]

28 Oct

Local File Inclusion (LFI) Vulnerability in Simple Ads Manager

In a previous post we looked at a local file inclusion (LFI) vulnerability in the plugin SAM Pro (Free Edition), since that is described as successor to Simple Ads Manager (the plugin is currently removed from the Plugin Directory) we took a look to see if it also had the same vulnerability. As it turned out the […]

28 Oct

Local File Inclusion (LFI) Vulnerability in SAM Pro (Free Edition)

One of the reasons that we provide the details of vulnerabilities that we discover is because we have seen from our own experience (and others) that when reviewing those details you will often notice that the vulnerability has not been fully fixed or that there are additional related vulnerabilities. When those details don’t get released, then […]

20 Oct

Local File Inclusion (LFI) Vulnerability in InPost Gallery

One of the ways we keep track of vulnerabilities in WordPress plugins to provide our customers with the best data is by monitoring our websites for apparent activity by hackers. We recently had a request for a file from the plugin InPost Gallery, /wp-content/plugins/inpost-gallery/js/front.js. We don’t have that plugin installed on the website, so the request […]

14 Jul

Local File Inclusion (LFI) Vulnerability in MailPress

One of the things we do to protect our customers from vulnerabilities in WordPress plugins is to monitor our websites for activity indicating that someone is looking to exploit a vulnerability in a plugin. That recently has been allowing us to detect quite a few serious vulnerabilities that it looks like no one else is spotting, […]