Login

Tag Archives: Persistent Cross-Site Scripting (XSS)

21 May 2019

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Slimstat Analytics

Yesterday a new release of the plugin Slimstat Analytics included a changelog entry “[Fix] Addressed a remote XSS vulnerability disclosed by Sucuri/GoDaddy.”, but Sucuri doesn’t seem to have disclosed any vulnerability, so it isn’t clear what that referred to. In the subversion entry logged “Addressed a remote XSS vulnerability disclosed by Sucuri/GoDaddy” no code was changed. When we did a quick check over the code that was actually changed yesterday we were confused as to how what looks like it was related to that could be a vulnerability, but upon more thorough check we realized code that it was different code that related to that and the change made doesn’t seem ideal to address the persistent cross-site scripting (XSS) vulnerability in question.

[Read more]

20 May 2019

Premio is Introducing Security Vulnerabilities in to WordPress Plugins While Commercializing Them

On Friday the plugin myStickymenu was closed on the WordPress Plugin Directory. Due to it being one of the 1,000 most popular WordPress plugins (it has 60,000+ installs) and it looking like hackers monitor for the closure of popular plugins to then see if there are security vulnerabilities they can exploit, we do that type of monitoring as well to keep our customer ahead of hackers, so we were alerted to the closure. We found that there were two vulnerabilities in it, though neither one is one that hackers are likely to try to exploit on the average website. In looking into the more serious vulnerability we found that it was introduced in the first version after ownership of the plugin was handed over to a company named Premio. That version also promoted the introduction of a Pro version and what is included in the Pro version is tied to the code introduced in that version that created the security vulnerability.

The security vulnerability was caused by a failure to do two security basics, so we were curious to see if they might have other plugins that also have security issues. Their second most popular plugin is Folders. Like myStickymenu, they took it over and the next version promoted the introduction of a Pro version. Alongside that they also introduced numerous security issues, due again to basic security failures. As one example, we confirmed that introduced in that version was a persistent cross-site scripting (XSS), which still exists in the current version. [Read more]

20 May 2019

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Ultimate FAQ

Recently we had a fair amount of traffic coming to our post detailing a reflected cross-site scripting (XSS) vulnerability in the plugin Ultimate FAQ, which seemed odd since that was a minor vulnerability unlikely to be exploited. It looks like the explanation for that is that hackers are actively exploiting a persistent cross-site scripting (XSS) vulnerability in the plugin that was fixed 20 months ago. While reviewing the log files of hacked WordPress website we were cleaning over at our main business we saw repeated requests for the following URL:

[Read more]

16 May 2019

This Persistent Cross-Site Scripting (XSS) Vulnerability Seems Likely to Be What Hackers Would be Interested in FB Messenger Live Chat For

As part of making sure our customers are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. Today we have had what look to be hackers probing for usage of five plugins. Two of those have recently had vulnerabilities disclosed that involve persistent cross-site scripting (XSS). The other three do not appear to have had vulnerabilities recently disclosed, but have persistent XSS vulnerabilities as well. One of those plugins is FB Messenger Live Chat (Live Chat with Facebook Messenger), which has 30,000+ installs according to wordpress.org. In looking over the plugin we found that it contains a persistent cross-site scripting (XSS) vulnerability, which is a type of vulnerability hackers have been exploiting widely recently.

For no good reason the plugins allows even those not logged in to WordPress to change its settings, as it registers it so the function that handles that, update_zb_fbc_code(), is accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged in: [Read more]

15 May 2019

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in FV Player (FV Flowplayer Video Player)

One of the changelog entries for the latest version of FV Player (FV Flowplayer Video Player) is “Security – fix for XSS vulnerability in email subscription”. When we started to look into that what we found is not only that there had been persistent cross-site scripting (XSS) vulnerability fixed in the email subscription functionality, but there is also another another vulnerability in that same functionality, which we will disclose in a follow up post.

[Read more]

13 May 2019

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Register IPs

It doesn’t seem like a great sign for the security of WordPress plugins in the Plugin Directory to see that the head of the team in charge of that is having to update their plugin due to a security issue that involves a rather basic security failure. That happened recently with the plugin Register IPs where one of the changelog entries for the latest version is “Sanitize and escape IP address (props @juliobox)”. Looking at the changes made showed that there was previously a persistent cross-site scripting (XSS) vulnerability in the plugin.

[Read more]

30 Apr 2019

WordPress Paints a Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Blog Designer

Almost a month ago we noted why it is so problematic to close popular WordPress plugins that contain undisclosed but serious security vulnerabilities in discussing a settings change vulnerability that permits persistent cross-site scripting (XSS) in the plugin Related Posts and unfortunately here we are seeing the same exact situation again with the plugin Blog Designer. Maybe we shouldn’t be surprised of that considering that the situation with Related Posts wasn’t properly resolved.

Late last year after seeing evidence that hackers were monitoring for the closure of popular plugins and then looking to see if they have security vulnerabilities, we started doing the same so that we could better keep our customers warned of vulnerabilities ahead of hackers finding and exploiting them. It would be much better if the WordPress team would work with others to improve their handling of insecure plugins to avoid situations like that in the first place, but so far they haven’t shown an interest in that, so here we are again. [Read more]

15 Apr 2019

Persistent Cross-Site Scripting (XSS) Vulnerability in WP Inventory Manager

One of the changelog entries for the latest version of WP Inventory Manager
is “Address security data sanitization in various $_POST, $_GET, $_REQUEST.” When we went to look at that change to see if there was a vulnerability we should add to our data set we noticed the two latest log entries for the plugin in the Subversion repository, which underlies the WordPress Plugin Directory, were “Updating to 1.7.9 for wordpress team review” and “Update for Plugin Review Team”. It’s not clear what that refers to, but when we went to look to see about the changes made, it looked like security changes related to the plugin’s settings had been made, so we installed the previous version of the plugin and started looking to see if looked like there was previously a vulnerability. What we saw is that there still looked to be a vulnerability, since the changes made didn’t seem to fix an issue we saw. When we went to look further we had a hard time finding the code related to the vulnerability and when we finally did we found that the situation was worse, as you don’t even need to be logged in to change the plugin’s settings and through that you can cause persistent cross-site scripting (XSS).

The code that starts this is a bit complicated, so we will skip a bit to the function admin_init() in the file /includes/wpinventory.admin.class.php, which runs during admin_init. That will run even not logged in when accessing the page /wp-admin/admin-post.php. Here is the beginning of that function: [Read more]

11 Apr 2019

100,000+ Install WordPress Plugin Marketed With Claim It Doesn’t Open Security Risks Has Persistent XSS Vulnerability

In monitoring the WordPress Support Forum for indications of vulnerabilities in plugins so that we can warn our customers of any publicly known security issues in plugins they use we have been seeing for sometime complaints about about problems with bogus signups on subscriber lists for newsletter plugins. It isn’t clear what the point of that would be or it is even intentional (if some knows what the explanation for that is please leave a comment). One of those plugins being, Email Subscribers & Newsletters, where someone began a topic seven weeks ago with this:

This plugin has been exploited by bots or scripts that dump a bunch of bogus Russian email addresses into the subscriber list. It was fixed once in a recent version, but was quickly exploited again. Until this is successfully resolved, I could not recommend the plugin because I have to disable it every time it is hacked. [Read more]

30 Mar 2019

WordPress Plugin Team Paints Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Related Posts

When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:

Don’t post on things they don’t understand. This really ties into the last item since you often have moderators providing people incorrect information and then they appear to not be able to handle that someone provides information that disputes that, leading to accurate information being deleted. [Read more]