Today we had what appears to be a hacker probing for usage of the plugin Easy2Map by requesting a directory from it, on our website:
/wp-content/plugins/easy2map/includes/ [Read more]
Limiting information on vulnerabilities being fixed in WordPress plugins isn’t a great idea as we were reminded of this week when the discoverer of a vulnerability didn’t disclose it until after hackers had started more widely exploiting the vulnerability, leaving most everyone else in the dark about what was going on (customers of our service we were warned before the widespread hacking happened because we do the work to keep ahead of things). Another reason for providing information in a timely manner is that often vulnerabilities haven’t been fully fixed or there are more related vulnerabilities that haven’t been fixed. That is the case with the plugin WP Shopify where when went to look into the possibility that a vulnerability had been fixed we spotted what turned out to be related unfixed vulnerability before we even figured out what the vulnerability fixed was.
The additional vulnerability allows even those not logged in to WordPress to change the plugin’s settings and place malicious JavaScript code in to settings, which is referred to persistent cross-site scripting (XSS). Like an increasing number of vulnerabilities this one involves code that runs through WordPress REST API, which means it is something that would be caught if we had been hired to do a security review of the plugin. [Read more]
Yesterday we had what looks to be a hacker probing for usage of the plugin Easy Property Listings through requests for these two files:
/wp-content/plugins/easy-property-listings/license.txt [Read more]
What always seems like a good indication of the poor state of security when it comes to WordPress websites is how many websites are using security plugins that are insecure or provide protection that is easily bypassed. Both of those have applied to the plugin WPS Limit Login, which has 10,000+ installs. The changelog for the latest version of that is “Fix : Security vulnerabilities (Thanks @juliobox)”. In looking over the changes made we noticed what looks like it would be an attempt to fix an easy way to bypass the plugin’s functionality, but that failed to accomplish that. It did accomplish fixing a more serious vulnerability.
…
The plugin Responsive Coming Soon was closed on the Plugin Directory on July 5. No explanation has been given for the closure, but it could be due to a security issue, as the changelog entries for the versions submitted since that are:
…
Monday of last week we started out a post with this:
Back in March of 2016 we warned of the WordPress plugin developer CodePeople, which currently has 27 plugins in the Plugin Directory, due to repeated security issues in their plugins. Over three years later things don’t look to have changed. The changelog for the latest version of the plugin CP Contact Form with PayPal is “Fixed XSS vulnerability in CSS edition” in looking into that to see if there was a vulnerability we should be notifying customers of our service that were using that plugin about, we found that there is still a related vulnerability in the current version of the plugin, which should have been caught if they checked over the code in the plugin for similar issues. The vulnerability that was fixed is identical to one that they were notified was in another of their plugin’s in October. [Read more]
One of the ways we keep track of publicly known vulnerabilities in WordPress plugins for our service, so that our customers are kept aware if any of the ones they use are impacted is by monitoring the WordPress Support Forum for topics related to that. Yesterday that brought to our attention a one-star review of the plugin LiveChat with the subject “Compromised security” (which was subsequently deleted, but is archived here) that reads as follows:
If I could rate this a 0 I would. Had been using this with no issues till about a month or so ago. Then I started getting this random redirect on my website, and each time it redirected it would also add in a new admin in the users with FULL ACCESS. Took quite a while to figure out it was this plugin. [Read more]
The plugin Breadcrumbs by menu was closed on the Plugin Directory on the 6th. While no reason has been given for the closure the developer has submitted two revisions to the underlying Subversion repository for the Plugin Directory labeled as being security updates. Looking at the changes made in those we found that the plugin previously contained a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability.
…
As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we had what looks to be a hacker probing for usage of the plugin Excel Like Price Change for WooCommerce and WP E-commerce (Excel-Like Price Changer for WooCommerce and WP E-commerce) on our website.
As we started looking into what might be causing that we quickly found that the plugin is quite insecure. There are smaller issues like the plugin’s admin pages being limited to users with the “edit_pages” capability instead of “manage_woocommerce”, so Editor level users can access to WooCommerce related data and functionality they are not intended to. What we ran across first though is a much larger issues was that a lot of the plugin’s functionality is accessible those not even logged in to WordPress and that creates various vulnerabilities, we have detailed a couple of obvious ones below that hacker might in the process of exploiting and there look to be more. [Read more]