11 Jul

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Responsive Coming Soon

This post provides the details of a vulnerability in the WordPress plugin Responsive Coming Soon not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

19 Jun

WordPress Plugins Are So Insecure You Can Claim the Wrong Plugin is Insecure and Still Be Right

One of the ways we keep track of publicly known vulnerabilities in WordPress plugins for our service, so that our customers are kept aware if any of the ones they use are impacted is by monitoring the WordPress Support Forum for topics related to that. Yesterday that brought to our attention a one-star review of the plugin LiveChat with the subject “Compromised security” (which was subsequently deleted, but is archived here) that reads as follows:

[Read more]

10 Jun

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Breadcrumbs by menu

This post provides the details of a vulnerability in the WordPress plugin Breadcrumbs by menu not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

21 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Slimstat Analytics

This post provides the details of a vulnerability in the WordPress plugin Slimstat Analytics not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

20 May

Premio is Introducing Security Vulnerabilities in to WordPress Plugins While Commercializing Them

On Friday the plugin myStickymenu was closed on the WordPress Plugin Directory. Due to it being one of the 1,000 most popular WordPress plugins (it has 60,000+ installs) and it looking like hackers monitor for the closure of popular plugins to then see if there are security vulnerabilities they can exploit, we do that type of monitoring as well to keep our customer ahead of hackers, so we were alerted to the closure. We found that there were two vulnerabilities in it, though neither one is one that hackers are likely to try to exploit on the average website. In looking into the more serious vulnerability we found that it was introduced in the first version after ownership of the plugin was handed over to a company named Premio. That version also promoted the introduction of a Pro version and what is included in the Pro version is tied to the code introduced in that version that created the security vulnerability.

[Read more]

20 May

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Ultimate FAQ

This post provides the details of a vulnerability in the WordPress plugin Ultimate FAQ not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

16 May

This Persistent Cross-Site Scripting (XSS) Vulnerability Seems Likely to Be What Hackers Would be Interested in FB Messenger Live Chat For

As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is FB Messenger Live Chat (Live Chat with Facebook Messenger), which has 30,000+ installs according to wordpress.org. In looking over the plugin we found that it contains a persistent cross-site scripting (XSS) vulnerability, which is a type of vulnerability hackers have been exploiting widely recently.

[Read more]