LoginPress

The Missing Story About WordPress Plugin Developers’ Failure To Make Sure Their Plugins Are Secure

Coverage of WordPress plugin vulnerabilities is rather poor and coverage of an authenticated option update vulnerability in the plugin Simple Social Buttons disclosed on Monday was no exception. For example, you had a security journalist that frequently spreads false and misleading information, Catalin Cimpanu, make this statement in regards to WordPress:

Some sites are inherently protected against this vulnerability, as their admins have already blocked user registration due to security reasons. [Read more]

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in LoginPress

One of the changelog entries for version 1.1.14 of LoginPress is “Enhancement: Important Security update.” Looking at the changes made in the version we found that there were a number of security changes made. There may be something more serious that we didn’t notice, but what we noticed that seems of most concern is that previously the import functionality of the plugin was accessible to anyone logged in to WordPress and lacked protection against cross-site request forgery (CSRF). That could have been used to cause persistent cross-site scripting (XSS) by changing the plugin’s settings. A similar issue in a more popular plugin has recently drawn the interest of hackers.

…

[Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: LoginPress

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in LoginPress