On Sunday we had probing on our website for usage of the plugin WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
In reviewing reports of vulnerabilities to add them to our data, two of the important things we do is determining what type of vulnerability there actually is, as sometimes vulnerabilities are mislabeled, and we also check to make sure that vulnerability has actually been fixed. Those two can together when looking at a recent report of a local file inclusion (LFI) vulnerability in NextGEN Gallery.
All too often we see that very serious security issues are not treated with the significance they should. What doesn’t help that situation is when security companies and other in the security community take relatively minor issues and try to make them in to something much larger than they actually are. Let’s take a look at an example that we came across the other day while reviewing new reports of vulnerabilities in WordPress plugins.