18 Mar

Vulnerability Details: Option Update Vulnerability in Easy WP SMTP

This post provides the details of a vulnerability in the WordPress plugin Easy WP SMTP not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

11 Mar

Full Disclosure of Option Update Vulnerability in Woocommerce User Email Verification

On Friday we detailed a privilege escalation vulnerability in the plugin Woocommerce User Email Verification. While that is a very bad security vulnerability in terms of what could be done with it, it at least could be seen as mistake as opposed to a failure to handle security in a fundamental way. That can’t be said about an option update vulnerability our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities spotted in the plugin at the same time.

[Read more]

08 Nov

Vulnerability Details: Option Update Vulnerability in WP GDPR Compliance

This post provides the details of a vulnerability in the WordPress plugin WP GDPR Compliance not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

18 Jul

Option Update Vulnerability in Form Lightbox

Recently, what has probably been the most important way we have been finding new vulnerabilities in WordPress plugins, so that we can notify our customers and they can take appropriate measure to protect themselves, has been by monitoring our websites for what looks to be probing for the usage of plugins. That usually indicates that a hacker is looking to exploit a vulnerability. Yesterday we had requests across our websites for the file /wp-content/plugins/form-lightbox/colorbox/style-1/colorbox.css, which is part of the plugin Form Lightbox and according to wordpress.org it has 10,000+ active installs.

[Read more]