01 Oct

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Download Plugins and Themes from Dashboard

This post provides the details of a vulnerability in the WordPress plugin Download Plugins and Themes from Dashboard not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

30 Sep

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Easy Pixels by JEVNET

This post provides the details of a vulnerability in the WordPress plugin Easy Pixels by JEVNET not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

21 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in WPeMatico RSS Feed Fetcher

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There seems to be an ongoing hacker campaign exploiting previously undisclosed vulnerabilities as in the past couple of weeks there have eight plugins that we have seen hackers newly probing for and number nine is WPeMatico RSS Feed Fetcher (WPeMatico), for which there was probing on our website today by requesting these files:

  • /wp-content/plugins/wpematico/readme.md
  • /wp-content/plugins/wpematico/readme.txt
  • /wp-content/plugins/wpematico/app/js/campaign_wizard.js

In looking at the plugin we found that, like a number of the other plugins, it contains a persistent cross-site scripting (XSS) vulnerability. [Read more]

21 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in DELUCKS SEO

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There seems to be an ongoing hacker campaign exploiting previously undisclosed vulnerabilities as in the past couple of weeks there have been seven plugins that we have seen hackers newly probing for and today we saw number eight, DELUCKS SEO, for which there was probing on our website today by requesting these files:

  • /wp-content/plugins/delucks-seo/readme.txt
  • /wp-content/plugins/delucks-seo/assets/tagEditor/readme.md

In looking at the plugin we found that, like a number of the other plugins, it contains a persistent cross-site scripting (XSS) vulnerability. There appear to be other related security issues as well. [Read more]

19 Sep

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Apply Online 2.0

This post provides the details of a vulnerability in the WordPress plugin Apply Online 2.0 not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

18 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in Social Metrics Tracker

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins. Last week through that we found two plugins with unfixed vulnerabilities that hackers would likely target. With a third plugin someone else had figure out what hackers would likely target before us (we are making changes to our process to improve our ability to quickly spot issues like that one). On Monday we disclosed vulnerabilities a couple more unfixed vulnerability based on plugins we saw probed earlier this week. And we are having to do that again as today we saw an apparent hacker probing for usage of the plugin Social Metrics Tracker by requesting these files:

  • /wp-content/plugins/social-metrics-tracker/readme.txt
  • /wp-content/plugins/social-metrics-tracker/js/social-metrics-tracker.js

Like a number of the previous plugins this has a number of apparent security issues. With this one there is the possibility of there being a reflected cross-site scripting (XSS) flagged by our Plugin Security Checker, but the most serious obvious vulnerably we found was a persistent cross-site scripting (XSS) vulnerability. That has was an issue with some of the previous plugins and some others had an authenticated variant of that, so that might be what hackers are looking to exploit here. [Read more]

16 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in Poll, Survey, Form & Quiz Maker by OpinionStage

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins. Last week through that we found two plugins with unfixed vulnerabilities that hackers would likely target. With a third plugin someone else had figure out what hackers would likely target before us (we are making changes to our process to improve our ability to quickly spot issues like that one). Earlier today we disclosed another unfixed vulnerability based on a plugin we saw probed for yesterday. And we are having to do that again as today we saw an apparent hacker probing for usage of the plugin Poll, Survey, Form & Quiz Maker by OpinionStage by requesting these files:

  • /wp-content/plugins/social-polls-by-opinionstage/readme.txt
  • /wp-content/plugins/social-polls-by-opinionstage/admin/js/menu-page.js
  • /wp-content/plugins/social-polls-by-opinionstage/assets/content-popup/index.js

In looking into what the hacker might be interested in exploiting in that we first found that the code is quite insecure and then in a few minutes we found a persistent cross-site scripting (XSS) vulnerability in the current version of the plugin that is similar to vulnerabilities that hackers have widely exploited recently and very similar to the vulnerability we mentioned earlier today. There look to be additional vulnerabilities, so the plugin should more thoroughly reviewed and secured before being used. [Read more]

16 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in Simple Fields

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins. Last week through that we found two plugins with unfixed vulnerabilities that hackers would likely target. With a third plugin someone else had figure out what hackers would likely target before us (we are making changes to our process to improve our ability to quickly spot issues like that one). With a new week comes another instance of this. Yesterday we had an apparent hacker probing for usage of the plugin Simple Fields, which has 10,000+ installs, by requesting the following files:

  • /wp-content/plugins/simple-fields/scripts.js
  • /wp-content/plugins/simple-fields/readme.md

In looking into what the hacker might be interested in exploiting in that we found right away that there is a persistent cross-site scripting (XSS) vulnerability in the current version of the plugin that is similar to vulnerabilities that hackers have widely exploited recently. We saw other insecure code in the plugin and there look to be additional vulnerabilities, so the plugin should more thoroughly reviewed and secured before being used. [Read more]

11 Sep

Persistent Cross-Site Scripting (XSS) Vulnerability in Travelpayouts

The changelog for the last two versions of the plugin Travelpayouts is “SECURITY UPDATE please update ASAP”. When we started looking at the changes made in the older of those versions to see if there was a vulnerability we should be warning customers of our service about we noticed that it look like the fix for a vulnerability was incomplete. Looking closer we found that a related issue is unfixed and leads to a vulnerability of a type hackers would exploit, a persistent cross-site scripting (XSS) vulnerability. The quality of the plugin’s code is quite poor as the vulnerable functionality doesn’t work if try you to use it as intended, so if you are planning to use this plugin it looks like it might need a lot of work.

The plugin makes the function importCsv() accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged, despite those not logged in not needing access: [Read more]

30 Aug

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Formidable Forms

This post provides the details of a vulnerability in the WordPress plugin Formidable Forms not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]