18 May

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in BibleGet I/O

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed […]

11 Apr

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in Analytic

Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago and then in February and March we spotted a couple more plugins that looks to be from the set of plugins being targeted. We recently ran across requests for yet another plugin that looks to be […]

03 Mar

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in Opti SEO

Back in October we discussed our spotting a probe for usage of a group of intentionally malicious plugins that someone had created several years ago and last month we discussed another plugin that looks to be from the set of plugins. We recently have been seeing a lot of requests probing for usage of those plugins, though usually […]

27 Jan

Vulnerability Details: Remote Code Execution (RCE) Vulnerability in Google Maps by Daniel Martyn

One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/google-maps-by-daniel-martyn/js/gmbdm.js, from the plugin Google Maps by Daniel Martyn. That plugin is no longer in the […]

24 Oct

A Good Example of Why WordPress Keeping Quiet About Unfixed Plugin Vulnerabilities Doesn’t Make Sense

We think that WordPress does a pretty good job when it comes to security, but there is a glaring problem we have run across, the handling of unfixed vulnerabilities in WordPress plugins. When a vulnerability in a plugin is reported to the Plugin Directory, unless it is very minor, the plugin is pulled pending a […]

12 Jul

Remote Code Execution (RCE) Vulnerability in wSecure Lite

We recently disclosed a minor, but very obvious, vulnerability in a WordPress plugin for logging user activity. What we found kind of stunning about this was that the developer of the plugin was a WordPress security company that claimed to “specialize” in doing security reviews of plugins. We later got an email from someone at the […]