This post provides the details of a vulnerability in the WordPress plugin NextGEN Gallery not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.
On Sunday we had probing on our website for usage of the plugin WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.
As part of our daily monitoring of subversion log messages from the WordPress Plugin Directory for mentions of security fixes, we found that 10 plugins had mentions of security fixes yesterday, which is way out of line with what we normally see and hinted that there might be a common issue between the plugins. As we started trying to figure out what was going on, we noticed that many of them were updating a third-party library Freemius, which is described as a”[m]onetization, analytics, and marketing automation platform”. In looking in to that we noticed that Freemius was citing WP Security Audit Log as using their library. With one of those plugins, looking at the changes made, we saw the possibility that a major vulnerability had been fixed. Further checking confirmed that an authenticated option update vulnerability was fixed, which would allow anyone with access to a WordPress account to take over a website and is a type of vulnerability hackers have tried to exploit widely in the past so there is likely to be plenty of attempts due to this. [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet): [Read more]
In reviewing reports of vulnerabilities to add them to our data, two of the important things we do is determining what type of vulnerability there actually is, as sometimes vulnerabilities are mislabeled, and we also check to make sure that vulnerability has actually been fixed. Those two can together when looking at a recent report of a local file inclusion (LFI) vulnerability in NextGEN Gallery.
Worth noting before we get in to the details is that the changelog entry for the version that was supposed to fix this, 2.1.57, lacked any mention of a security update. [Read more]
All too often we see that very serious security issues are not treated with the significance they should. What doesn’t help that situation is when security companies and other in the security community take relatively minor issues and try to make them in to something much larger than they actually are. Let’s take a look at an example that we came across the other day while reviewing new reports of vulnerabilities in WordPress plugins.
A company named Cyber Security Works put out a report claiming there is a “High” risk cross-site scripting vulnerability in the NextGEN Gallery plugin. The vulnerability report describes it as such: [Read more]