One of the changelog entries for the latest version of YOP Poll is “fixed XSS vulnerability”. Looking at the changes made in that version we found that in a couple of locations there were instances of a reflected cross-site scripting (XSS) vulnerability that were fixed.
…
One of the changelog entries for the latest version of Ninja Forms is “Patched a redirect XSS vulnerability using code injection on our submissions page.”. In looking at the changes made in that version we found that that there was a reflected cross-site scripting (XSS) vulnerability on the plugin’s admin page Submissions that was fixed.
…
The quality of reports on vulnerabilities in WordPress plugins are not always great and a report of a reflected cross-site scripting (XSS) vulnerability in the plugin PeepSo released today is a perfect example of that. The report claims that there is a vulnerability in version 1.11.2 of the plugin and doesn’t indicate whether it was fixed. That version hasn’t been the latest version of the plugin for over a month, so did that mean that it was fixed or did the discloser not bother checking if more recent version were impacted? Making that more difficult to decipher the discloser provided no details beyond a proof of concept.
…
One of the ways that we continue to improve the quality of our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker, is by checking if vulnerabilities we are adding to our data set that should be detectable by that are in fact detected. That led to us running the plugin NextScripts: Social Networks Auto-Poster through it after we noticed that a reflected cross-site scripting (XSS) vulnerability had been fixed in it. Not only did it correctly spot the possibility of that vulnerability, but it noticed three other instances of possible reflected XSS vulnerabilities in the plugin that are still in the latest version of the plugin.
If you are a customer of our service you can access the tool’s developer mode, with that the first of those possible reflected XSS vulnerabilities is as follows: [Read more]
From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that led to that so that we can provide our customers with more complete information on the security of plugins they use.
…
From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that led to that so that we can provide our customers with more complete information on the security of plugins they use.
…
From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that led to that so that we can provide our customers with more complete information on the security of plugins they use.
…
From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that led to that so that we can provide our customers with more complete information on the security of plugins they use.
…
The other day while looking for information on a vulnerability possibly related to a plugin that exports order information from WooCommerce we ran across a report of an unrelated possible vulnerability in the plugin WooCommerce Order Export and More from php-grindr.
That report pointed to the value of the GET or POST input “tab” being set to value of the variable $tab in the file /order-export-and-more-for-woocommerce/inc/jem-exporter.php: [Read more]
From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that lead to that so that we can provide our customers with more complete information on the security of plugins they use.
…