Login

Tag Archives: Privilege Escalation

17 May 2025

Patchstack VDP Partner WPMU DEV Incompletely Fixed Privilege Escalation Vulnerability in Broken Link Checker

On Friday, WPMU DEV partially released a security update for the WordPress plugin Broken Link Checker. The changelog for the new version is “Fix: Patched a vulnerability issue.” There are a couple of problems with that. First, they didn’t set it, so the update is being offered to those already using the plugin or new users. Second, the fix was incomplete. Unsurprisingly, the developer is part of the Patchstack Vulnerability Disclosure Program, which signals that the developers are not handling security right and not making sure issue are fully addressed.

[Read more]

16 May 2025

WordPress Plugin Security Review: FV Gravatar Cache

Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for FV Gravatar Cache.

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]

30 Apr 2025

Wordfence and WordPress Miss That Insecure Code in WordPress Plugin is Still Insecure

One of the reasons why WordPress plugins continue to be so insecure is that unethical security providers don’t do basic vetting work before claiming that vulnerabilities exist and that they have been fixed. Unsurprisingly, they don’t show the work, as it were, as to how they came to claim there was a vulnerability. That often leads to real security issues and vulnerabilities remaining in plugins after they take credit for them being fixed. That was the case recently with a situation that involved one of those unethical providers, Wordfence, and WordPress.

Last week, our monitoring systems flag the possibility of a vulnerability in the plugin WPMasterToolKit. At the time, the plugin was closed on the WordPress Plugin Directory. The reason for the closure appears to be a claim by Wordfence of a vulnerability in the plugin. The author of the plugin stated: [Read more]

13 Nov 2024

WP Engine Failed to Vet Security of Plugin Acquired This Year or Fix Vulnerability in It Once It Was Reported to Them

When it comes to whether Matt Mullenweg or WP Engine are the bad guys in the recent, the reality is that they both have played a decidedly harmful role in the security of WordPress plugins. Sometimes that comes from them working together. Last year, we noted that WP Engine was falsely claiming that a popular WordPress plugin contained a security vulnerabilities. That was caused by them using a known unreliable source of vulnerabilities, WPScan. Incredibly, WP Engine’s VP of security admitted earlier in the year they haven’t done due diligence with WPScan’s data:

We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else. [Read more]

3 Sep 2024

600,000+ Install WordPress Plugin MetaSlider Still Using Vulnerable Version of Library 17 Months Later

One of the expanding capabilities of our new Plugin Security Scorecard is the ability to identify software libraries included in WordPress plugins. From there, if there are known vulnerabilities in those libraries in the plugins, that can be warned about when plugins are graded. We can also go back and check if previous checks identified if plugins contained a vulnerable version of those libraries. As we found when adding a library to that checking last week, there is a need to better monitor this situation. That is because we found that a plugin with 600,000+ installs, MetaSlider, is still using a vulnerable version of the AppSero Client library. The vulnerability was fixed 17 months ago. We reached out the developer of that plugin last week as well. They said a fix will be included in the next release of the plugin, which they said might come out this week. (It hasn’t as of us publishing this post.)

The situation highlights other areas where security could be improved. [Read more]

9 Aug 2024

Freemius Still Hasn’t Resolved All the Security Issues in Their SDK Library

In a blog post last year, Freemius bizarrely criticized us for not working with them to fix vulnerabilities in their library that ships with many WordPress plugins, while linking to a post from the year before where they admitted to having been the ones refusing to work with us. The post last year revolved around them belatedly addressing a security issue that we had tried to address with them the year before. They also criticized us for publicly disclosing vulnerabilities we had discovered during a security review of a plugin using it, instead of allowing competitors to disclose them instead. (In a previous incident, they accused us of full disclosure of a vulnerability, despite us only knowing about it because it had already been exploited and fixed.) In both posts they derisively referred to those in the security industry as “trolls”. That type of behavior shouldn’t be acceptable in the WordPress community.

Unsurprisingly, considering Freemius’ abusive attitude towards the security industry and their unwillingness to take responsibility for their continued poor handling with security, they still haven’t gotten all the security issues resolved related to what we brought up with them two years ago. [Read more]

12 Jun 2024

Privilege Escalation Vulnerability in Pretty Links

One of the changelog entries for the latest version of the WordPress plugin Pretty Links is “Security hardening.” Looking at the changes made, we found that a nonce check to prevent cross-site request forgery (CSRF) was added in the new version. Looking closer, we found that another security check was still missing and the vulnerability that had existed didn’t just involve CSRF. We have notified the developer of the missing security check, which is also still missing in other similar code, and offer to help them address it.

[Read more]

6 Jun 2024

400,000+ Install WordPress Plugin Formidable Forms Is Missing More Basic Security Checks

In January, because at least one of our customers was using the 400,000+ install WordPress plugin Formidable Forms, we looked into a changelog entry for the then latest version of the plugin that suggested a cross-site request forgery (CSRF) vulnerability had been fixed. We confirmed that the developer had indeed addressed an instance of CSRF, but we also found that code similar to what was being fixed was still vulnerable to that. It turns out that version had also added yet another instance of the issue. That is striking since protection against CSRF is a really basic element of securing a WordPress plugin, so not something that should be an issue with such a popular plugin. The additional instance has yet another missing basic security check as well.

Last week, a new version of the plugin was released. The update was flagged by our system that uses machine learning, a form of artificial intelligence (AI), to try to detect when vulnerabilities have been fixed, but haven’t been disclosed, in plugins used by our customers. We found a security change being made, which changed the following line that was previously bringing in user input without sanitizing it (which is yet another security issue): [Read more]

21 Feb 2024

Privilege Escalation Vulnerability in Brave Conversion Engine

One of the changelog entries for the latest version of the Brave Conversion Engine is “Fixed: SSFR vulnerability.” That would presumably be a reference to a server-side request forgery (SSRF) vulnerability. Looking into that, it seems the SSRF element of that is limited, but there is still a vulnerability that hasn’t been resolved here. We have reached out to the developer about that and offered to help them address it.

[Read more]