March 30 – The plugin was closed on the WordPress Plugin Directory.
March 30 – We notice the closure and find that the plugin contains an exploitable vulnerability.
March 30 – We put out post warning about that vulnerability and pointed out the problem with closing plugins with undisclosed vulnerabilities.
March 30 – We notify the developer of the plugin about the vulnerability through the WordPress Support Forum.
April 2 – Developer submits new version of plugin that appears to be intended to fix a different vulnerability and seemingly unintentionally fixes another one.
Approximately April 9 or 10 – Vulnerability we warned about is widely exploited.

Yet here was Lawrence Abrams at the Bleeping Computer yesterday: [Read more]

5 Apr 2019

Closures of Very Popular WordPress Plugins, Week of April 5

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week four of those plugins were closed and two of them have been reopened. [Read more]

3 Apr 2019

Vulnerability Details: Authenticated SQL Injection in Related Posts

After the plugin Related Posts was closed on Saturday we noted it has a very serious settings change vulnerability that leads to persistent cross-scripting (XSS). Something we have been interested in with recent likely to be exploitable vulnerabilities, like that one, is having a better understanding of if these are fluke security issues in the plugins or if the security of the plugins is rather poor in general. What we have been seeing is that the plugins have fallen in the latter category, but we are also seeing is that these developers seem to be making coding mistakes and not doing testing of the functionality they are changing, which should flagged those mistakes for them.

…

[Read more]

30 Mar 2019

WordPress Plugin Team Paints Target on Exploitable Settings Change Vulnerability That Permits Persistent XSS in Related Posts

When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:

Don’t post on things they don’t understand. This really ties into the last item since you often have moderators providing people incorrect information and then they appear to not be able to handle that someone provides information that disputes that, leading to accurate information being deleted. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Related Posts