28 Apr

Security Tip for Developers: Remove Testing Files from Third Party Libraries Included in Your Plugin

Every time you add additional code to a WordPress plugin (or any other software) you are adding more potentially insecure code. That includes third party libraries and other third party code. Earlier this week we looked at the details of a local file inclusion (LFI) vulnerability in the Booking Calendar plugin caused by its use of a file from [Read more]

25 Apr

Security Tip for Developers: Avoid Using esc_sql() When Trying to Prevent SQL Injection Vulnerabilities

Two weeks ago there was discussion on our post detailing a vulnerability in the plugin Gallery – Video Gallery over the escaping method being used to fix a SQL injection vulnerability in the plugin. While the changes made look to have fixed the issue, they were less than ideal. Part of the issue was that instead of [Read more]

24 Apr

Security Tip for Developers: .htaccess Based Protection Won’t Work on All WordPress Websites

One of the ways we see plugin developers try to stop improper access to files generated by their WordPress plugin is to restrict direct access to the files over the Internet through the use of access restrictions placed in a .htaccess file (as the was the case with a vulnerability we disclosed last week). The problem with [Read more]

20 Apr

Security Tip for Developers: You Don’t Need to Restrict Direct Access to .php Files Twice

One of the items we check for during our security reviews of plugins selected by our customers is to see if the plugin’s .php files can be accessed directly when they are not intended to. While being able to access them directly when that isn’t necessary usually doesn’t have any security impact, it is easy to [Read more]

16 May

Security Tip for Developers: Make Sure To Check a User’s Capabilities When Processing an Admin AJAX Request

One common cause of security issues with WordPress plugins that we continue to see happening is a failure to properly check on whether a user should be able to use admin AJAX functions they are sending requests to. Since the wp_ajax_ hook makes the AJAX function accessible to any logged in user, without checking their capabilities even a Subscriber level [Read more]

13 May

Security Tip for Developers: The is_admin() Function Doesn’t Tell You If Someone is an Administrator

One reoccurring cause of security issues in WordPress plugins is the misuse of the function is_admin(). Based on its name you might reasonably assume that it checks if someone is Administrator level user in WordPress and that seems to have tripped up lots of plugin developers. In reality it just “checks if the Dashboard or the [Read more]