08 Oct

Vulnerability Details: Open Redirect in All In One WP Security

This post provides the details of a vulnerability in the WordPress plugin All In One WP Security not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

21 Jun

Cross-Site Request Forgery (CSRF) Vulnerability in Deny All Firewall

It is a continuing bad sign for the overall security of WordPress plugins that so many security plugins have security vulnerabilities of their own. We ran across one such plugin, Deny All Firewall, due to our monitoring of changelog entries of plugins to keep customer of our service aware of vulnerabilities that were or are in the plugins they use. The plugin is described as:

This plugin examines your WordPress installation and allows you to inject rules into your .htaccess file which completely block access to everything except genuine site content. [Read more]

11 Jun

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in a WordPress Security Plugin

When it comes to WordPress security plugins, not only do they often not provide much, if any, security against threats that really impact a website, but they can actually introduce security vulnerabilities of their own. That is the case with the plugin LionScripts: IP Blocker Lite, which is described as:

LionScripts IP Blocker for WordPress allows you to block the malicious IP Addresses, Spammers and Hackers [Read more]

13 Nov

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Security Plugin with 70,000+ Installs

Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did some checks over the 1,000 most popular WordPress plugins to get a better idea of usage of code of similar code there might be out there. That led to us finding an authenticated PHP object injection vulnerability in the security plugin WP Security Audit Log, which has 70,000+ active installations according to wordpress.org.

That a security plugin can have a fairly serious vulnerability speaks to the one of the problems we see with the security industry’s ability to meet the needs of the public. On the one hand the average website, which shouldn’t need security products and services, are being sold ones that don’t work well at best. At the same time those websites that genuinely need advanced security tools are unable to get ones that work well and or they introduce security risks of their own. This plugin falls into the latter category both in that it is something that could be of useful for some websites, but also something that is introducing additional security risk. [Read more]

25 Oct

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in QueryWall: Plug’n Play Firewall

This post provides the details of a vulnerability in the WordPress plugin QueryWall: Plug’n Play Firewall not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

02 Jul

When A Security Vulnerability Is Only One of the Issues With a WordPress Security Plugin

We don’t think too highly of the security industry and we are often reminded of why that is, as was the case when we did a quick check of the plugin Sitesassure WP Malware Scanner. We had run across the plugin on the website of a company, 911websiterepair.com, which offers to clean up hacked websites, where it was listed as their plugin. The plugin didn’t mention anything about that website instead it was connected to another website and the look of that website didn’t exactly give us a good feeling about the potential quality of the plugin:

[Read more]

12 Jun

Privilege Escalation Vulnerability in Quttera Web Malware Scanner

One of the big problems we see in trying to improve security is that so often security companies are promoting product and services that they claim will protect websites, but really only try to deal with the after effects of them being hacked. What seems like could explain a lot of that is that most of those companies don’t know or care about security and they are just trying to make a buck with little to no concern whether they are providing anything of value in exchange for that money. One of the things that seems to back that up is how often security companies fail to handle basic security when it comes to their own websites and product/services.

The latest example of that was something we ran across while discussing an example of security companies’ frequent misleading to outright false claims made about their products and services. As discussed over at our main blog the makers of the plugin Quttera Web Malware Scanner had recently claimed that the plugin had over 400,000 installations despite it actually only having 10,000+ active install according to wordpress.org. After running across that we started to take a quick look at the plugin’s security and immediately found it was failing to take some basic security measures. [Read more]

31 Oct

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Anti-Malware Security and Brute-Force Firewall

This post provides the details of a vulnerability in the WordPress plugin not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]