Plugin Security Checker

30 May 2019

Authenticated Open Redirect Vulnerability in Paid Memberships Pro

One ongoing indication of the poor security of WordPress plugins is how often our Plugin Security Checker, which is an automated tool for identifying some possible security issues with plugins, is picking up vulnerabilities in fairly popular plugins. We would not describe the tool as being advanced by any means, so that being true is not a great indication of the handling of plugins’ security. In looking over some of the recent results for plugins in the Plugin Directory that were checked through that to see if could further improve its results we found that the plugin Paid Memberships Pro, which has 80,000+ active installations according to wordpress.org, contains an authenticated open redirect vulnerability.

That is a type of vulnerability that isn’t really a concern in terms of being exploited on the average website, but it is something that looks like it could have easily been avoided. You can check the plugins you use to see if they are possibly impacted by a similar issue or a number of other issues through the tool for free. [Read more]

1 Mar 2019

Our Plugin Security Checker Now Checks For Usage of Versions of Freemius with the Authenticated Option Update Vulnerability

To make it easy for those without a lot of technical skills to check if plugins are impacted by the authenticated option update that exist in older versions of the Freemius library we have updated our Plugin Security Checker so that when plugins that include a vulnerable version of that are checked there will be a warning about that.

While that would usually mean the vulnerability is exploitable through the plugin, we oddly found that in one of the 1,000 most popular plugins, Ultimate Social Media PLUS (Social Share Icons & Social Share Buttons), the library is included, but its usage has been disabled for 8 months. For some reason even with a serious vulnerability being found in the library, they haven’t removed the library from their plugin, but they did promptly update to the fixed version of Freemius. [Read more]

5 Nov 2018

Full Disclosure of Reflected XSS Vulnerability in WordPress Plugin with 100,000+ Installs

One of the ways that we continue to improve the quality of our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker, is by checking if vulnerabilities we are adding to our data set that should be detectable by that are in fact detected. That led to us running the plugin NextScripts: Social Networks Auto-Poster through it after we noticed that a reflected cross-site scripting (XSS) vulnerability had been fixed in it. Not only did it correctly spot the possibility of that vulnerability, but it noticed three other instances of possible reflected XSS vulnerabilities in the plugin that are still in the latest version of the plugin.

If you are a customer of our service you can access the tool’s developer mode, with that the first of those possible reflected XSS vulnerabilities is as follows: [Read more]

3 Oct 2018

New Check in Our Plugin Security Checker Already Spotted Vulnerability in WordPress Plugin with 100,000+ Active Installs

About a month ago we mentioned that moderators of the WordPress Support Forum’s deletion of discussions of security issues can be unhelpful, in the context of us seeing mention of a vulnerability in a thread that was quickly deleted, realizing there was another related vulnerability, and then adding a check for that other vulnerability to our Plugin Security Checker, which provides a limited but expanding capability to check for possible security issues in plugins. Just days later that new check flagged a possible issue in a plugin with 100,000+ active installs that was being run through it and a quick check confirmed that it was an exploitable vulnerability (though far from a serious issue for the average website). That the vulnerability was found in, Ultimate Member, wasn’t all that surprising considering that Plugin Security Checker had previously identified another vulnerability of the same type in the plugin a couple of months ago.

Here are the details of the possible reflected cross-site scripting (XSS) vulnerability that was identified, which are available to users of our service through the Plugin Security Checker’s Developer Mode: [Read more]

2 Oct 2018

Reflected Cross-Site Scripting (XSS) Vulnerability in Bitcoin Faucet

Recently we ran the plugin Bitcoin Faucet through our automated tool for checking over the security of WordPress plugins and it identified a possible reflected cross-site scripting vulnerability (XSS) in the plugin:

[Read more]

27 Sep 2018

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in Plugin with 70,000+ Active Installs

As we continue our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, it is important to remember that if we didn’t do full disclosure of these vulnerabilities they would still be there in the plugins and still a security risk. In fact there are currently plenty of easy to spot vulnerabilities in popular plugins, case in point is the vulnerability we are fully disclosing today, which is a reflected cross-site scripting (XSS) vulnerability in the plugin Feed Them Social that the possibility of its existence was detected by our, far from advanced, automated tool for detecting plugin vulnerabilities, the Plugin Security Checker. That plugin, which has 70,000+ active installs according to wordpress.org, was recently run through the tool and during our continuing audits of the results from that we checked on the results for the plugin.

There were multiple possible instances of reflected XSS identified, this being the last one: [Read more]

24 Sep 2018

Our Plugin Security Checker Identified a Reflected XSS Vulnerability in Quiz And Survey Master

Recently the plugin Quiz And Survey Master, which has 20,000+ active installs according to wordpress.org, was run through our Plugin Security Checker tool and as part of our continued focus on improving the results produced by the tool we happened to take a look at some of the possible issues identified in it. One of those possible issues was reflected cross-site scripting (XSS) vulnerability in the plugin due to user input being directly output without any escaping.

Looking at the underlying code for the identified issue, which is available to users of our service through the tool’s Developer Mode, it certainly looked like the identification was correct and that there was likely be a vulnerability due to user input being output without being escaped: [Read more]

5 Sep 2018

Reflected Cross-Site Scripting (XSS) Vulnerability in File Manager

One of the problems we have found with the WordPress Support Forum is that there is unproductive and inconsistent deletion of claims about the security of plugins. In an instance from just a couple of days ago a thread was deleted which mentioned an unfixed vulnerability in the plugin File Manager, deleting that doesn’t make much sense to us since it would be easy for someone with bad intentions to do same monitoring that we do and have spotted that thread before it was deleted, while deleting makes it harder for those with good intentions to find out about it. For us seeing it, not only lead to us noticing a related vulnerability in the same code, but it also led to a new check for our Plugin Security Checker to make it easier for similar issues to the one we noticed to be caught and fixed going forward, leading to better security for WordPress plugins, which unfortunately the moderators of the WordPress Support Forum don’t seem to be all that interested in based on the actions they take and their shutting down any conversion about whether those actions are productive.

The additional vulnerability we noticed is a reflected cross-site scripting (XSS) vulnerability, which could possibly allows an attacker to run arbitrary malicious JavaScript code. This type of vulnerability isn’t a big threat since it requires getting someone else to take an action, which we don’t see hackers really interested in when it comes to untargeted attacks, and web browsers other than Firefox include filtering to restrict the ability for this type of vulnerability to be exploited. [Read more]

10 Aug 2018

Our Plugin Security Checker Identified Another Reflected XSS Vulnerability in WordPress Plugin with 100,000+ Active Installs

In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny recently the plugin Ultimate Member, which has 100,000+ active installs according to wordpress.org, was run through the tool and it identified a possible reflected cross-site scripting (XSS) vulnerability in the plugin.

Looking at the details of the issue identified, which are available to users of our service through the tool’s Developer Mode, it certainly looked like there was that type of vulnerability as user input was being output without being escaped: [Read more]

21 May 2018

Our Plugin Security Checker Found a Reflected XSS Vulnerability in WordPress Plugin with 100,000+ Active Installs

In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny when we ran the plugin WP Google Map Plugin through the tool to check to see if it would have spotted a recently fixed reflected cross-site scripting (XSS) vulnerability in the plugin we found that the plugin still contained another vulnerability of the same type (it also would have identified the possibility of the previous vulnerability if it had been checked).

In the file /core/class.initiate-core.php the function fc_geocoding() outputs the value of the variable $_POST, which contains any POST inputs sent with a request, without escaping that: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Plugin Security Checker