28 Jun

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in the WordPress Plugin MapSVG Lite

If you were already using our service you would know that the plugin MapSVG Lite isn’t secure as there was unfixed vulnerability disclosed at the beginning of the year. If you were relying on other data sources there is good chance you wouldn’t know that since the ultimate source of a lot of those, the WPScan Vulnerability Database, claims that it was fixed:

[Read more]

18 Jun

Our Proactive Monitoring Caught a Local File Inclusion (LFI) Vulnerability Being Added in to Sina Extension for Elementor

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a local file inclusion (LFI) vulnerability being added in to the plugin Sina Extension for Elementor.

[Read more]

12 Jun

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a Woocommerce Extending Plugin

When it comes the security of WordPress plugins the unfortunate reality is that the same problems occur over and over and yet it seems we are largely alone in being interested in trying to take actions to address those. One of the issues with that is that what we can do is limited, most of the changes require the people in charge of the Plugin Directory being willing to work with others to fix them, which isn’t happening as they seem to be detached from reality and are unwilling to even acknowledge the problems exist, much less discuss making changes to fix those problems.

[Read more]

11 Jun

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in a WordPress Security Plugin

When it comes to WordPress security plugins, not only do they often not provide much, if any, security against threats that really impact a website, but they can actually introduce security vulnerabilities of their own. That is the case with the plugin LionScripts: IP Blocker Lite, which is described as:

[Read more]

10 Jun

Our Proactive Monitoring Caught a Local File Inclusion (LFI) Vulnerability in Revamp CRM for WooCommerce

One of the things we do during security reviews of WordPress plugins is to check if .php files that are not intended to be directly accessed are protected against direct access of them. The lack of that usually makes no difference, but it is an easy way to avoid or limit vulnerabilities, like the local file inclusion (LFI) vulnerability our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Revamp CRM for WooCommerce.

[Read more]

04 Jun

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WPMktgEngine

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught just such a vulnerability, an authenticated option update vulnerability, in the plugin WPMktgEngine. This vulnerability likely would have been widely exploited by now if the plugin was more popular, considering how easy it would be to detect it.

[Read more]

20 May

What Security Review? Another Brand New WordPress Plugin Contains Widely Exploited Freemius Library Vulnerability

A little less than a month ago we mentioned how a brand new WordPress plugin contained an authenticated option update vulnerability due to usage of an outdated version of the third-party Freemius library. That vulnerability has been widely exploited. Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. So either those reviews are not happening or they are failing to catch things that should have been caught. We spotted that through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and that has again identified the same thing happening, with the new plugin this time being WP Dev Powers: ACF Color Coded Field Types.

[Read more]

09 May

Our Proactive Monitoring Caught a Remote Code Execution (RCE) Vulnerability in Kanzu Support Desk

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a remote code execution (RCE) vulnerability in the plugin Kanzu Support Desk.

[Read more]

06 May

Our Proactive Monitoring Caught an Authenticated Remote Code Execution (RCE) Vulnerability in the New Plugin Master Popups Lite

In a yet another of far too many instances this has happened, our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities has caught a brand new plugin being introduced with a vulnerability that seems like should have been caught through the security review that is supposed to happen new plugins are allowed in the Plugin Directory. This time it is an authenticated remote code execution (RCE) vulnerability in the plugin Master Popups Lite.

[Read more]

29 Apr

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in PollDeep

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated arbitrary file upload vulnerability in to the plugin PollDeep.

[Read more]