Login

Tag Archives: OneSignal Push Notifications

26 Jul 2019

Here’s A Bit of the Real Cost of the WPScan Vulnerability Database’s Data

With our service we warn our customers if WordPress plugins they use contain publicly known vulnerabilities (many of which we have also discovered). When we are warning them we have already confirmed that there is an issue and we are available if they have any questions about the dealing with the issue (say if the plugin has been closed on the Plugin Directory, so they can’t update to a fixed version easily). With a competing data source, the WPScan Vulnerability Database, those things don’t happen and instead all sorts of unnecessary headaches are caused. We saw one such example yesterday.

In an email alert for the WordPress Support Forum we have set up to let us know discussions possibly related to vulnerabilities in plugins we got alerted to this message: [Read more]

19 Jul 2019

Not Really a WordPress Plugin Vulnerability, Week of July 19

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Persistent Cross-Site Scripting in OneSignal Push Notifications

If there had actually been a persistent cross-site scripting (XSS) vulnerability in the plugin OneSignal Push Notifications as claimed, that would be a big deal as that is the kind of vulnerability is fairly likely to be exploited and the plugin has 100,000+ installs. No explanation of the vulnerability beyond a proof of concept was provided. The first thing that we noticed that raised questions about this was the URL that the request to exploit this would be sent to: [Read more]