10 Oct

Reflected Cross-Site Scripting (XSS) Vulnerability in Testimonial Slider

In a post earlier today we mentioned running across mention of the plugin Testimonial Slider being removed from the Plugin Directory and the cause of that. While doing a bit of checking over the plugin we found another minor vulnerability (and there certainly could be more as the code we looked at isn’t securely written), [Read more]

03 Oct

New Check in Our Plugin Security Checker Already Spotted Vulnerability in WordPress Plugin with 100,000+ Active Installs

About a month ago we mentioned that moderators of the WordPress Support Forum’s deletion of discussions of security issues can be unhelpful, in the context of us seeing mention of a vulnerability in a thread that was quickly deleted, realizing there was another related vulnerability, and then adding a check for that other vulnerability to [Read more]

02 Oct

Reflected Cross-Site Scripting (XSS) Vulnerability in Bitcoin Faucet

Recently we ran the plugin Bitcoin Faucet through our automated tool for checking over the security of WordPress plugins and it identified a possible reflected cross-site scripting vulnerability (XSS) in the plugin: Unless the user input was sanitized or validated those should lead to vulnerabilities, since malicious JavaScript could output through that code. The contents of [Read more]

28 Sep

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in Plugin with 30,000+ Active Installs

To close out our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, we return back to something from the first day and a reminder of an example of why the Support Forum moderators behavior is harmful to [Read more]

25 Sep

Full Disclosure of Vulnerability in WordPress Plugin with 700,000+ Active Installations

Earlier today we announced we are changing how we handle the disclosure of vulnerabilities in WordPress plugins. Until the inappropriate behavior by the moderators of the WordPress Support Forum ends we are going to be doing full disclosure, that is just disclosing the vulnerabilities, and after that only notifying the developer of the plugin through the [Read more]

24 Sep

Our Plugin Security Checker Identified a Reflected XSS Vulnerability in Quiz And Survey Master

Recently the plugin Quiz And Survey Master, which has 20,000+ active installs according to wordpress.org, was run through our Plugin Security Checker tool and as part of our continued focus on improving the results produced by the tool we happened to take a look at some of the possible issues identified in it. One of those possible issues [Read more]

24 Sep

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in WP Sudoku Plus

Our Vulnerability Details posts provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered and are freely available.For existing customers, please log in to your account to view the rest of the post.If you are not currently [Read more]

05 Sep

Reflected Cross-Site Scripting (XSS) Vulnerability in File Manager

One of the problems we have found with the WordPress Support Forum is that there is  unproductive and inconsistent deletion of claims about the security of plugins. In an instance from just a couple of days ago a thread was deleted which mentioned an unfixed vulnerability in the plugin File Manager, deleting that doesn’t make [Read more]

10 Aug

Our Plugin Security Checker Identified Another Reflected XSS Vulnerability in WordPress Plugin with 100,000+ Active Installs

In a reminder of the rather poor state of security of WordPress plugins and how our Plugin Security Checker tool (which is accessible through a WordPress plugin of its own) can help you to get a better idea if they are in need of additional security scrutiny recently the plugin Ultimate Member, which has 100,000+ active installs according to wordpress.org, was run [Read more]