One of the changelog entries for the latest version of the WordPress plugin Photo Gallery is “Fixed: Open Redirect and XSS Reflected vulnerability.” Looking at the changes made in that version and then doing some testing, we found that the open redirect vulnerability hasn’t been fixed.
…
One of the changelog entries for the latest version of the WordPress plugin Ultimate Member is:
Fixed: Issue with echo XSS on User Profile [Read more]
The changelog for the latest version of the WordPress plugin All In One WP Security doesn’t appear to make any mention of a security vulnerability being fixed, but there was at least one fixed.
…
The changelog for the latest version of the plugin All In One WP Security (All In One WP Security & Firewall) is “Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)”. The entry on the WPScan Vulnerability Database for that contains almost no information and has this for the proof of concept “The PoC will be displayed on October 22, 2019, to give users the time to update.” It is unclear what the point of that would be since, that would be too late for that to be to all that useful, say if the vulnerability hasn’t been properly fixed, since hackers would already be taking advantage of the vulnerability. At the same time we have a hard time believing anybody looking to exploit this would have any trouble figuring out how you could exploit it just by looking at the relevant changes made to the plugin, considering it took us around a minute.
…
In looking over some of the instances where plugins have been run through our Plugin Security Checker tool and have been flagged for possibly containing open redirect vulnerabilities what we have usually found that these lead to vulnerabilities of that are limited in scope, say the redirect can only occur for logged in Administrators. With the plugin JSON API, which someone checked with the tool recently, there isn’t any restriction.
The plugin registers the function template_redirect() to run during template_redirect, so when frontend pages load: [Read more]
Recently Ricardo Sanchez disclosed a reflected cross-site scripting (XSS) vulnerability in the plugin SagePay Server Gateway for WooCommerce. When we went to test that out while adding the vulnerability to our data set, we noticed a strange result. The proof of concept URL was
/wp-content/plugins/sagepay-server-gateway-for woocommerce/includes/pages/redirect.php?page=</script>”><script>alert(“R1XS4.COM”)</script> [Read more]
Recently while looking in to what turned out to be unrelated probing from a hacker for WordPress plugins we took a look at the plugin GTranslate and found that it has an open redirect vulnerability.
In the file /url_addon/gtranslate.php a redirect will occur if two variables are the same: [Read more]
We have recently been increasing the amount of new vulnerabilities we include our data through better monitoring of changes made to plugins, so that in more cases where there hasn’t been a report released on the vulnerability we can still include the vulnerability. Combined with that we have increased the number of post we have put out detailing those vulnerabilities. Seeing as we often find that vulnerabilities have been only partially fixed or not fixed at all, that also is likely to mean we will find more vulnerabilities that haven’t been fixed, despite an attempt to do so.
That was the case when we looked in to a reflected cross-site scripting vulnerability in the plugin moreAds SE. First we noticed that the vulnerability had not been fixed, but then we noticed that there was another vulnerability in the same code. [Read more]