13 Nov

Full Disclosure of Authenticated PHP Object Injection Vulnerability in WordPress Security Plugin with 70,000+ Installs

Last week, after running across a couple of PHP object injection vulnerabilities in the plugin WP GDPR Compliance we started looking into making an improvement of detection of that type of issue in our automated tool for detecting possible security issues in WordPress plugins, the Plugin Security Checker. As part of doing that we did [Read more]

25 Oct

Vulnerability Details: Persistent Cross-Site Scripting (XSS) Vulnerability in QueryWall: Plug’n Play Firewall

This Vulnerability Details post about a vulnerability in the plugin QueryWall: Plug’n Play Firewall provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered and are freely available.For existing customers, please log in to your account to [Read more]

02 Jul

When A Security Vulnerability Is Only One of the Issues With a WordPress Security Plugin

We don’t think too highly of the security industry and we are often reminded of why that is, as was the case when we did a quick check of the plugin Sitesassure WP Malware Scanner. We had run across the plugin on the website of a company, 911websiterepair.com, which offers to clean up hacked websites, where [Read more]

12 Jun

Privilege Escalation Vulnerability in Quttera Web Malware Scanner

One of the big problems we see in trying to improve security is that so often security companies are promoting product and services that they claim will protect websites, but really only try to deal with the after effects of them being hacked. What seems like could explain a lot of that is that most [Read more]

31 Oct

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Anti-Malware Security and Brute-Force Firewall

Our Vulnerability Details posts provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered and are freely available.For existing customers, please log in to your account to view the rest of the post.If you are not currently [Read more]

29 Aug

PHP Object Injection Vulnerability in WP Smart Security

When it comes to advice on improving the security of a WordPress websites the recommendation is often to install some security plugin. We have yet to see this advice paired with evidence that the security plugin in question is effective at providing protection. In our testing of them to see if security plugins can protect [Read more]

19 Apr

Cross-Site Request Forgery (CSRF) Vulnerabilities in Triagis® Security Evaluation

Far too often it is found that security plugins for WordPress introduce security vulnerabilities of their own, which if you know much about security isn’t too surprising considering that so many security companies don’t seem to know and or care much about security. We recently ran across the security plugin Triagis® Security Evaluation, which is [Read more]

27 Feb

Vulnerability Details: Arbitrary File Viewing Vulnerability in WP Hide & Security Enhancer

This Vulnerability Details post about a vulnerability in the plugin WP Hide & Security Enhancer provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered and are freely available.For existing customers, please log in to your account [Read more]

07 Feb

Persistent Cross-Site Scripting (XSS) Vulnerability in XO Security

When it comes to trying to improve the security surrounding WordPress one of the big impediments is the security industry. One of the things we see them doing is providing misleading and sometimes outright false information to the public about security. One outright falsehood that has been widely spread is that there are lots of brute [Read more]