Login

Tag Archives: NotificationX

11 Jan 2022

Vulnerability Details: Multiple in NotificationX

To provide a better service for our customers, we have started working to make sure we are providing more complete data on vulnerabilities in WordPress plugins used by our customers. That led to us reviewing a report of a vulnerability in NotificationX that we had not looked at before. We found that the claimed vulnerability didn’t really exist, as it involved a broken security check, which didn’t look to have been needed in the first place. After noticing that, we checked to see if there might be functionality where there were not needed security checks being done were they were needed and we found an instance of that. We found one, though it had been resolved by now, because of a major rewrite of the plugin, which replaced the functionality.

[Read more]

7 Jan 2022

Not Really a WordPress Plugin Vulnerability, Week of January 7

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Request Forgery (CSRF) in NotificationX

With a claimed cross-site request forgery (CSRF) vulnerability in the plugin NotificationX, the claimed discoverer NinTechNet, provides no explanation of why the functionality in question even needs protection against CSRF. [Read more]