16 Oct

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in WooCommerce Order Export and More

The other day while looking for information on a vulnerability possibly related to a plugin that exports order information from WooCommerce we ran across a report of an unrelated possible vulnerability in the plugin WooCommerce Order Export and More from php-grindr. That report pointed to the value of the GET or POST input “tab” being set to [Read more]

12 Oct

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Category Order

From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that lead to that so that we can provide our customers with more complete information on the [Read more]

10 Oct

Reflected Cross-Site Scripting (XSS) Vulnerability in Testimonial Slider

In a post earlier today we mentioned running across mention of the plugin Testimonial Slider being removed from the Plugin Directory and the cause of that. While doing a bit of checking over the plugin we found another minor vulnerability (and there certainly could be more as the code we looked at isn’t securely written), [Read more]

03 Oct

New Check in Our Plugin Security Checker Already Spotted Vulnerability in WordPress Plugin with 100,000+ Active Installs

About a month ago we mentioned that moderators of the WordPress Support Forum’s deletion of discussions of security issues can be unhelpful, in the context of us seeing mention of a vulnerability in a thread that was quickly deleted, realizing there was another related vulnerability, and then adding a check for that other vulnerability to [Read more]

02 Oct

Reflected Cross-Site Scripting (XSS) Vulnerability in Bitcoin Faucet

Recently we ran the plugin Bitcoin Faucet through our automated tool for checking over the security of WordPress plugins and it identified a possible reflected cross-site scripting vulnerability (XSS) in the plugin: Unless the user input was sanitized or validated those should lead to vulnerabilities, since malicious JavaScript could output through that code. The contents of [Read more]

28 Sep

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in Plugin with 30,000+ Active Installs

To close out our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, we return back to something from the first day and a reminder of an example of why the Support Forum moderators behavior is harmful to [Read more]

25 Sep

Full Disclosure of Vulnerability in WordPress Plugin with 700,000+ Active Installations

Earlier today we announced we are changing how we handle the disclosure of vulnerabilities in WordPress plugins. Until the inappropriate behavior by the moderators of the WordPress Support Forum ends we are going to be doing full disclosure, that is just disclosing the vulnerabilities, and after that only notifying the developer of the plugin through the [Read more]

24 Sep

Our Plugin Security Checker Identified a Reflected XSS Vulnerability in Quiz And Survey Master

Recently the plugin Quiz And Survey Master, which has 20,000+ active installs according to wordpress.org, was run through our Plugin Security Checker tool and as part of our continued focus on improving the results produced by the tool we happened to take a look at some of the possible issues identified in it. One of those possible issues [Read more]

24 Sep

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Sudoku Plus

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. The changelog entry for version 1.5 of the plugin WP Sudoku Plus is [Read more]