20 May

Premio is Introducing Security Vulnerabilities in to WordPress Plugins While Commercializing Them

On Friday the plugin myStickymenu was closed on the WordPress Plugin Directory. Due to it being one of the 1,000 most popular WordPress plugins (it has 60,000+ installs) and it looking like hackers monitor for the closure of popular plugins to then see if there are security vulnerabilities they can exploit, we do that type of monitoring as well to keep our customer ahead of hackers, so we were alerted to the closure. We found that there were two vulnerabilities in it, though neither one is one that hackers are likely to try to exploit on the average website. In looking into the more serious vulnerability we found that it was introduced in the first version after ownership of the plugin was handed over to a company named Premio. That version also promoted the introduction of a Pro version and what is included in the Pro version is tied to the code introduced in that version that created the security vulnerability.

[Read more]

20 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Ultimate FAQ

This Vulnerability Details post about a vulnerability in the plugin Ultimate FAQ provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

16 May

This Persistent Cross-Site Scripting (XSS) Vulnerability Seems Likely to Be What Hackers Would be Interested in FB Messenger Live Chat For

As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is FB Messenger Live Chat (Live Chat with Facebook Messenger), which has 30,000+ installs according to wordpress.org. In looking over the plugin we found that it contains a persistent cross-site scripting (XSS) vulnerability, which is a type of vulnerability hackers have been exploiting widely recently.

[Read more]

15 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in FV Player (FV Flowplayer Video Player)

This Vulnerability Details posts provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service.If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

13 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Register IPs

This Vulnerability Details post about a vulnerability in the plugin Register IPs provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

30 Apr

WordPress Paints a Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Blog Designer

Almost a month ago we noted why it is so problematic to close popular WordPress plugins that contain undisclosed but serious security vulnerabilities in discussing a settings change vulnerability that permits persistent cross-site scripting (XSS) in the plugin Related Posts and unfortunately here we are seeing the same exact situation again with the plugin Blog Designer. Maybe we shouldn’t be surprised of that considering that the situation with Related Posts wasn’t properly resolved.

[Read more]

15 Apr

Persistent Cross-Site Scripting (XSS) Vulnerability in WP Inventory Manager

One of the changelog entries for the latest version of WP Inventory Manager
is “Address security data sanitization in various $_POST, $_GET, $_REQUEST.” When we went to look at that change to see if there was a vulnerability we should add to our data set we noticed the two latest log entries for the plugin in the Subversion repository, which underlies the WordPress Plugin Directory, were “Updating to 1.7.9 for wordpress team review” and “Update for Plugin Review Team”. It’s not clear what that refers to, but when we went to look to see about the changes made, it looked like security changes related to the plugin’s settings had been made, so we installed the previous version of the plugin and started looking to see if looked like there was previously a vulnerability. What we saw is that there still looked to be a vulnerability, since the changes made didn’t seem to fix an issue we saw. When we went to look further we had a hard time finding the code related to the vulnerability and when we finally did we found that the situation was worse, as you don’t even need to be logged in to change the plugin’s settings and through that you can cause persistent cross-site scripting (XSS).

[Read more]

11 Apr

100,000+ Install WordPress Plugin Marketed With Claim It Doesn’t Open Security Risks Has Persistent XSS Vulnerability

In monitoring the WordPress Support Forum for indications of vulnerabilities in plugins so that we can warn our customers of any publicly known security issues in plugins they use we have been seeing for sometime complaints about about problems with bogus signups on subscriber lists for newsletter plugins. It isn’t clear what the point of that would be or it is even intentional (if some knows what the explanation for that is please leave a comment). One of those plugins being, Email Subscribers & Newsletters, where someone began a topic seven weeks ago with this:

[Read more]

30 Mar

WordPress Plugin Team Paints Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Related Posts

When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:

[Read more]

22 Mar

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Sooqr Search

Much like what we found with the plugin the plugin Analytics-Gtag earlier this week, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a restricted file upload in the plugin Sooqr Search, which could most obviously be used to cause persistent cross-site scripting (XSS) since it allows arbitrary content to be written to a JavaScript file. It also could, say, be combined with a local file inclusion (LFI) vulnerability, to cause arbitrary code to be executed.

[Read more]