Back in September, the developer of the 2+ million WordPress plugin MC4WP: Mailchimp for WordPress and Wordfence claimed that a minor vulnerability had been fixed. The fix was obviously incomplete and it turns out the issue is wider than that.
…
One of the changelog entries for a recent version of the WordPress plugin Pixel Cat is “Fix possible XSS vector reported.” We checked on that and found that contrary to the claim, it was not a “possible” issue, but a reflected cross-site scripting (XSS) vulnerability.
…
Yesterday, a new version of the WordPress plugin Enable Media Replace was released. The changelog for the new version was “Fix: A potential “Reflected Cross-Site Scripting” vulnerability has been patched, responsibly disclosed by the PatchStack team.” The developers claim that a “potential” vulnerability had been fixed turned out to not be true. As there was an actual vulnerability. We also found the code in the plugin still isn’t properly secured and we have notified the developer of that.
…
We recently had an attacker try to exploit a vulnerability on our website, which was blocked by our Plugin Vulnerabilities Firewall. The logging for that was as follows:
We recently had an attacker try to exploit a vulnerability on our website, which was blocked by our Plugin Vulnerabilities Firewall. The logging for that was as follows:
…
The WordPress plugin Dynamic QR Code Generator was closed on the WordPress plugin directory last year with the only explanation given that it had a “Security Issue.” No further details of the issue were given. Prior to that last year, a security provider had vaguely claimed it contained a reflected cross-site scripting (XSS) vulnerability, but again with no further details. Looking at the code, we found there is a reflected XSS vulnerability in the most recent version of the plugin.
…
We have been seeing a reoccurring issue recently where WordPress plugin developers are having users of the plugins being asked if they are going to fix vulnerabilities that a WordPress security,Patchstack, has claimed are in their plugins. The developers are responding, accurately, that Patchstack hasn’t provided any details on what the issue is supposed to be. That obviously makes it difficult to address things if there really is a vulnerability, or to otherwise refute the claim. A recent instance of that involved a claim of a reflected cross-site (XSS) in the plugin WP Bannerize Pro.
Here are the “details” Patchstack provided: [Read more]
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. For some time, we also have run all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. More recently, we expanded the range of possible security issues that we check over in customer used plugins every week. Through that we caught a reflected cross-site scripting (XSS) vulnerability that was introduced in to the 100,000+ install plugin Squirrly SEO in the last week.
If you are using plugins not already used by our customers, once you start using our service, those plugins will be getting checked on a weekly basis as well. [Read more]
The changelog for the latest version of the WordPress plugin Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue is “Fixed the vulnerability issues for WPML.”
…
To better detect vulnerabilities being fixed in WordPress plugins in the WordPress Plugin Directory, we run all the changes being made to plugins used by our customers and plugins with at least a million installs through a machine learning (artificial intelligence) based system we created. Today, that flagged a change being made to a 2+ million install plugin Advanced Custom Fields as fixing a vulnerability. The changelog of the plugin suggested that might be correct, as the changelog associated with that change says that it “resolves an XSS vulnerability in ACF’s admin pages”, which was credited to Rafie Muhammad
You can’t rely on changelog to provide accurate information, as the developer of this plugin, WP Engine, didn’t disclose it was fixing a vulnerability in another of their plugins recently, and even if the changelog makes the claim, it doesn’t mean that a vulnerability really existed or it has been fixed. As we have found with other changes being flagged by this monitoring system, WordPress plugin developer sometimes fail to disclose they are fixing a vulnerability and also fail to actually fix it. [Read more]
