Login

Tag Archives: Reflected Cross-Site Scripting (XSS)

6 Feb 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in DELUCKS SEO

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, isĀ our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have been running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them for a year now and we have recently increased that customer proactive monitoring to include checking for lesser vulnerabilities. Through that, we caught a reflected cross-site scripting (XSS) vulnerability in DELUCKS SEO.

That this hadn’t been spotted before is a good indication of the limited amount of security checking being done of WordPress plugins, as the relevant code is easy to detect as at least being insecure. [Read more]

5 Jan 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in Newsletter Glue

As part of our monitoring the security of plugins used by our customers, we have a system that alerts us if plugins used by customers have been removed from the WordPress Plugin Directory. A common cause of those removals is security issues (or at least claimed security issues). That brought the plugin Newsletter Glue to our attention recently, which was closed in August. The removal reason given is “Author Request”, but we wanted to make sure there wasn’t a serious vulnerability in the plugin as well.

What we found is that the plugin contains a minor vulnerability because of a lack of basic security. We also ran across other security problems with the plugin. For example, the plugin registers functions to be accessible via AJAX by those not logged in (in addition to those logged in) despite them only allowing users with the manage_options capability to access their functionality. If you are concerned about security, we would recommend not using the plugin unless it has a thorough security review done and all issues addressed. [Read more]

7 Nov 2022

Reflected Cross-Site Scripting (XSS) Vulnerability in WordPress Plugin Photo Gallery

One of the changelog entries for the latest version of the WordPress plugin Photo Gallery is “Fixed: Open Redirect and XSS Reflected vulnerability.” While the open redirect vulnerability wasn’t fixed, we confirmed that a reflected cross-site scripting (XSS) vulnerability was indeed fixed.

[Read more]

30 Jun 2022

Reflected Cross-Site Scripting (XSS) Vulnerability in Header Footer Code Manager

On June 24, the WordPress plugin Header Footer Code Manager was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 300,000+ installs), our systems warned us about the closure. By the time we went to check on the plugin the next day, the developer had released a new version with a changelog suggesting a security vulnerability had existed in the plugin:

[Read more]