Proactive Monitoring

17 May 2023

Did ChatGPT Create This Serious Authenticated Option Update Vulnerability in the WordPress Plugin AI Power?

A lot has been made about the possible security risk with code created by ChatGPT whether in WordPress plugins or otherwise. A more pedestrian risk is that WordPress plugins that interact with that are themselves insecure, whether written by ChatGPT or not. Last week, one of those plugins, AI Power, which is described by the developer as the “most popular, WordPress-based open-source AI solution” started introducing a serious vulnerability in to the 10,000+ websites using it. The vulnerability allows those logged in to WordPress to change arbitrary WordPress options (settings), which among other things could allow them to take over the website by allowing them to create new WordPress accounts with the Administrator role.

Our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught that. [Read more]

24 Apr 2023

Authenticated Post Deletion Vulnerability in CartFlows

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We also run all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. Through that, we caught an authenticated post deletion vulnerability in the 200,000+ install plugin CartFlows. Our customers were already protected from the vulnerability, as our Plugin Vulnerabilities Firewall plugin provides protection against this type of vulnerability without us having to write a rule for a specific vulnerability.

By default, the plugin restricts access to the admin portion of the plugin’s interface to Administrators, but it has a user role manager that allows providing lower-level users access. If users are given “Limited Access” they “Can create/edit/delete/import flows and steps only.” With the ability to delete the plugin’s flows, they can delete any post on the website. [Read more]

9 Mar 2023

Arbitrary File Upload Vulnerability in Propeller Ecommerce

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an arbitrary file upload vulnerability in a brand new WordPress plugin, Propeller Ecommerce. That type of vulnerability would allow a hacker, among other things, to run arbitrary code on the website.

We now are also running all the plugins used by our customers through that on a weekly basis to provide additional protection for them. [Read more]

6 Feb 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in DELUCKS SEO

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have been running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them for a year now and we have recently increased that customer proactive monitoring to include checking for lesser vulnerabilities. Through that, we caught a reflected cross-site scripting (XSS) vulnerability in DELUCKS SEO.

That this hadn’t been spotted before is a good indication of the limited amount of security checking being done of WordPress plugins, as the relevant code is easy to detect as at least being insecure. [Read more]

8 Dec 2022