Login

Tag Archives: Reflected Cross-Site Scripting (XSS)

29 Sep 2021

Our Proactive Monitoring Caught a Shortcode Execution Vulnerability in Two WordPress Plugins

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, isĀ our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a type of vulnerability that has in the past been combined with a more serious vulnerability and then exploited. That being a shortcode execution vulnerability, which we found in two plugins, Active Products Tables for WooCommerce and TableOn, that look like they might be have been closed on the Plugin Directory for a different security issue. The vulnerability also permits reflected cross-site scripting (XSS) to occur.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

16 Jun 2021

Security Audit of WordPress Plugin Apparently Missed Easy to Detect Vulnerability

The plugin Sunshine Photo Cart was closed on the WordPress Plugin Directory yesterday. We don’t know why that was, but our systems notified us of possible security related changes made after that. Those are described in the latest changes made to the plugin as “Security audit changes”. In that type of situation we usually run the previous version of the plugin through our Plugin Security Checker to see if it flagged any possible insecure code that was then fixed. When we did that, we found that possibly insecure code it flagged wasn’t fixed in the new version. Further checking confirmed there was and still is a vulnerability, despite there apparently a security audit having been done.

That code has gone unnoticed in the plugin for nearly six years, which is yet another good reason to check the plugins you use with our tool. [Read more]

14 Jun 2021

WordPress Plugin Directory Team Failing To Detect Easy to Spot Vulnerabilities

Last week we mentioned that we had found a couple of vulnerable WordPress plugins when we ran the ones also available in WordPress fork ClassicPress’ plugin directory through our Plugin Security Checker. One of those was promptly fixed after we notified the developer of the issue. With the other AlertMe!, we haven’t even got a response from the developer in over a week, so in line with our reasonable disclosure policy, we are disclosing the vulnerability.

Like the other vulnerability, this has existed in the plugin since the first version, despite being easy to detect. The WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of this type of issue. We have repeatedly offered to help them implement this type of thing, but, like other attempts to help them improve their poor handling of security, they have shown no interest. [Read more]

7 Jun 2021

Poor Handling of Security in WordPress Plugin Directory Also Impacts ClassicPress Directory

On Friday we noted that we had started doing proactive monitoring of the plugin’s in the WordPress fork ClassicPress’ plugin directory for serious security issues and had also had run the ClassicPress plugins available in that through our Plugin Security Checker, which flags the possibility of additional less serious issues. We found a couple of plugins with minor security issues through that, including one with a vulnerability. That vulnerability was promptly fixed. Also, on Friday we ran the six plugins from the WordPress Plugin Directory also included in ClassicPress’ directory through the same tool. We found two of them had a really easy to spot minor vulnerability.

This is the kind of thing that the WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of. We have repeatedly offered to help them implement this type of thing, but, like other attempts help them to improve their poor handling of security, they have shown no interest. [Read more]