19 Dec

Is This What a Hacker Would Be Targeting the Table Maker Plugin For?

Last week we mentioned that we had recently seen what looked to be probing for the usage of the SendinBlue Subscribe Form And WP SMTP and another plugin. That other plugin is Table Maker, which we had been seeing requests for its readme.txt like this: /wp-content/plugins/table-maker/readme.txt. One of the few possible explanations for requests like that is […]

19 Dec

The Results of Our WordPress Plugin Security Checker Lead to More Serious Issues in Plugin

We recently introduced a new tool to check WordPress plugins in the Plugin Directory for possible security issues. As we continue to look to how we can improve that, we are recording any issues identified by it, so that we can see what kinds of things it is identifying and where they might be room […]

17 Oct

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in Front-End Only Users

One of the misconceptions we see out there when it comes to the security of plugins is people believing that because a plugin is created by a company as opposed to an individual or because there is a paid element to it, it will be more secure. That clearly hasn’t been the case with the […]

05 Jul

Persistent Cross-Site Scripting (XSS) Vulnerability in Post Custom Templates Lite

Unlike most companies providing security services related to WordPress we are interested improving the security of the WordPress ecosystem, so that the average website isn’t required to use any security product or service. That isn’t easy since even the people on the WordPress side of things too often don’t seem interested in that. One new […]

16 Jun

False Vulnerability Report: Cross Site Scripting Vulnerability in WP Job Manager

As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them. The data on these false reports is also included in our service’s data. Recently several […]

14 Jun

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in RSVP

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. The changelog entry for version 2.3.8 of RSVP and Event Management […]

30 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in Question answer

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed […]

19 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in WP Booking System

An advisory was released by the JPCERT/CC and IPA that a persistent cross-site scripting vulnerability had been fixed in version 1.4 of the plugin WP Booking System, which was discovered by “Satoshi Takagi of Cryptography Laboratory,Department of Information and Communication Engineering,Tokyo Denki University”. In looking at the changes made in that version we found that this […]