03 Sep

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WP BASE Booking of Appointments, Services and Events

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a PHP object injection vulnerability in the plugin WP BASE Booking of Appointments, Services and Events.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool flags the possibility of other issues in this plugin as well. [Read more]

12 Aug

Vulnerability Details: PHP Object Injection in Formidable Forms

This post provides the details of a vulnerability in the WordPress plugin Formidable Forms not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

19 Jul

A Hackers Looks to be Probing for the WordPress Plugin Easy Property Listings, These Vulnerabilities Might Be Why

Yesterday we had what looks to be a hacker probing for usage of the plugin Easy Property Listings through requests for these two files:

/wp-content/plugins/easy-property-listings/license.txt [Read more]

18 Mar

Vulnerability Details: PHP Object Injection in Easy WP SMTP

This post provides the details of a vulnerability in the WordPress plugin Easy WP SMTP not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

20 Nov

We Caught a PHP Object Injection Vulnerability in a WordPress Plugin with 70,000+ Installs Before It Could Possibly Be Exploited

Earlier today we noted that a security company claimed to have sat on a PHP object injection vulnerability in a WordPress plugin for nearly six months and only disclosed they knew about it until after it others had noticed and possibly after it had been exploited. Completely coincidentally during our our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we have spotted the same kind of serious vulnerability being introduced today in to a plugin with 70,000+ active installations, Anti-Spam by CleanTalk, before anyone is using it, as the change that introduces it has not yet been applied to the version that people install.

The vulnerability is due to changing the following line: [Read more]

15 Nov

Full Disclosure of PHP Object Injection Vulnerability in WordPress Plugin with 20,000+ Installs

Yesterday as part of our monitoring of WordPress plugins’ changelogs for indications that vulnerabilities have been fixed, so that we can add those vulnerabilities to our data set, the plugin Yet Another Stars Rating popped up. The changelog entry for the latest version of that is “FIXED: security fix”. Looking at the change made in that version that is accurate as code that prevents cross-site request forgery (CSRF) was fixed so that it would work properly. When we started to look at what might be the significance of that we noticed a more serious issue that still exists in the plugin, it is vulnerable to PHP object injection in at least one location (and probably others as well), which is a type of vulnerability that more advanced hackers have been known to exploit widely.

When using the plugin’s shortcode yasr_visitor_multiset the function yasr_visitor_multiset_callback() is run: [Read more]

07 Nov

Vulnerability Details: PHP Object Injection Vulnerability in WP GDPR Compliance

This post provides the details of a vulnerability in the WordPress plugin WP GDPR Compliance not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

01 Nov

PHP Object Injection Vulnerability in Yet Another Related Posts Plugin (YARPP)

In our previous post we mentioned what looks to be a hacker trying to exploit a vulnerability in the plugin Yet Another Related Posts Plugin (YARPP), though one that we couldn’t see where it could do anything of note. While looking into that we noticed another security issue in the plugin, one that is of most concern if the plugin is no longer supported, which seems to be the case. It also is yet another reminder we really need to review the security of the plugins that we use since there would be multiple reasons we would have noticed this issue if we had checked over the plugin when we used it.

The plugin contains a function that makes a request to the domain name yarpp.org to check if there is a new version of the plugin available. The problem is that code introduces a PHP object injection that could be exploited by someone that controlled that domain, which would be much easier to accomplish if the domain name isn’t renewed by the plugin’s developer. The relevant portion of the function, which is located in the file /classes/YARPP_Core.php, is as follows: [Read more]

26 Oct

Full Disclosure of PHP Object Injection Vulnerability in Patreon WordPress

The unfortunate reality when it comes to WordPress plugins is that there are lots of security issues in them, so even if the people on the WordPress side of things were not working against improving security there would be lots of problems. As an example of that, when the latest version of the plugin Patreon WordPress showed up in our monitoring of changes made to plugins that might involve security vulnerabilities being fixed we found a serious vulnerability unrelated to change we then were looking into. The change made that caused it to appear on our radar doesn’t seem related to a vulnerability, but in looking into that we happened across a PHP object injection vulnerability, which is a type of vulnerability that more advanced hackers have been known to exploit widely, that is in the current version on the plugin.

The line we noticed that might have allowed PHP object injection (located in the file /classes/patreon_routing.php): [Read more]

05 Oct

The Continued Inappropriate Behavior of WordPress Has Lead to This Disclosure of an Exploitable Vulnerability in a Plugin with 30,000+ Active Installs

A lot has been going on for us recently. One of those things is that we have made a big improvement to our ability to detect the possibility of vulnerabilities being fixed in plugins, so that we can add more of them to our data set. That has lead to us reviewing code changes in more plugins and finding more vulnerabilities, which are more serious than the possible issues that might have already been fixed. That today lead to us noticing that there is a PHP object injection vulnerability, which is the type of vulnerability has been the type that more advanced hackers are likely to try exploit, in the plugin WP DSGVO Tools, which has 30,000+ active installs.

Another thing that has gone on is that due to the continued inappropriate behavior by the moderators of the WordPress Support Forum we have started full disclosing vulnerabilities in WordPress plugins until such time that they stop acting inappropriately. They could have already done that and the full disclosures would have stopped, instead so far they have just decide to compound their bad behavior with more of it. What that means is that instead of contacting the developer and letting them know about the vulnerabilities, offering assistance in fixing them, and only after they have had a chance to do, disclosing them, we are just disclosing them. We then try to notify the developers of the full disclosure through the Support Forum. That isn’t a good thing, but the inappropriate behavior of the moderators of the Support Forum is much more of a problem and it needs to finally stop. [Read more]