Login

Tag Archives: Proactive Monitoring

15 Feb 2022

Our Proactive Monitoring Caught a CSRF/Plugin Deactivation Vulnerability in Language Switcher

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, a cross-site request forgery (CSRF)/plugin deactivation vulnerability in the plugin Language Switcher.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

14 Feb 2022

Despite “Manual Security Review”, Brand New WordPress Plugin Contains Remote Code Execution (RCE) Vulnerability

Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:

After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]

10 Feb 2022

Our Proactive Monitoring Caught a CSRF/Option Update Vulnerability in a WordPress Plugin Used by Our Customers

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now expanded that for our customers, by running plugins used by our customers, even when code in them is not updated, through the same system on a weekly basis. Through that, we caught a less serious variant of one of those vulnerabilities, a cross-site request forgery (CSRF)/option update vulnerability in Profile Builder. Which, besides being used by at least one of our customers, is used on 60,000+ websites according to wordpress.org’s stats.

CSRF/Option Update

Among the add-ons for Profile Builder that ship with the plugin is Import and Export, which is described this way: [Read more]

2 Feb 2022

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, a restricted file upload vulnerability being introduced in to the plugin Sitemap by click5.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

31 Jan 2022

Unfixed Vulnerability in Zendesk Library Leads to PHP Object Injection Vulnerability in WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, a PHP object injection vulnerability being introduced in to the plugin ELEX HelpDesk & Customer Support Ticket System. While looking into the source of that, we found that the underlying source of the vulnerability was a library from Zendesk, a multi-billion dollar company, and that vulnerability was publicly reported to them 10 months ago, but hasn’t been resolved.

Also, notably, the file containing the vulnerability is a sample file, which is something that shouldn’t be shipping in production software, but we often find that those are not removed from libraries being included in WordPress plugins. That isn’t helped by libraries not providing a paired down version intended for production use. [Read more]

28 Jan 2022

Our Proactive Monitoring Caught a Persistent XSS Vulnerability in the WordPress Plugin Stylish Price List

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a one of those vulnerabilities, a persistent cross-site scripting (XSS) vulnerability in the plugin Stylish Price List.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

26 Jan 2022

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Another Brand New WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in another brand new plugin, VIRTUAL HDM FOR TAXSERVICE AM. We found another of these in a brand new plugin less than two weeks ago.

The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]

24 Jan 2022

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a one of those vulnerabilities, a PHP object injection vulnerability being introduced in to the plugin ICS Calendar.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

13 Jan 2022

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in a Brand New WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in the brand new plugin Vossle.

The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]

12 Jan 2022

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in a WordPress Plugin with 40,000+ Installs

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability, in the plugin Stop Generating Unnecessary Thumbnails, which has 40,000+ installs.

We now are also running all the plugins used by customers through that on a weekly basis, to provide additional protection for our customers. [Read more]