19 Sep

Would This Settings Change Vulnerability in NBDesigner Be What Hackers Are Interested In?

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we found that yesterday a hacker looks to be probing for usage of the plugin NBDesigner, which has 2,000+ installs, by requesting the following files:

  • /wp-content/plugins/web-to-print-online-designer/assets/js/dokan.js
  • /wp-content/plugins/web-to-print-online-designer/changelog.txt

That plugin was closed on the Plugin Directory on September 8 for an unspecified reason. [Read more]

03 Sep

Settings Change Vulnerability in Search Exclude

The plugin Search Exclude was closed on the WordPress Plugin Directory on Friday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a settings change vulnerability.

The plugin registers the function saveOptions() to run during admin_init: [Read more]

12 Aug

Settings Change Vulnerability in Instagram Feed by 10Web (10Web Social Feed for Instagram)

The plugin Instagram Feed by 10Web (10Web Social Feed for Instagram) was closed on the WordPress Plugin Directory on Friday. That is one of the 1,000 most popular plugins with 80,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a settings change vulnerability. There also look to be other security issues as well, which isn’t surprising considering the developer of that plugin has a long history of not handling security properly.

In the plugin’s main file this code runs when the plugin is loaded: [Read more]

02 Aug

WordPress Plugin Directory Team Missed Settings Change Vulnerability in Maps Widget for Google Maps

Earlier this week one of the most popular WordPress plugins, Maps Widget for Google Maps, which has 100,000+ installs, was closed on the Plugin Directory and then reopened after the name was changed (it was previously Google Maps Widget) and security changes were made. One of the security changes doesn’t really make sense to us. In the file /gmw-tracking.php this line was changed:

62
if (isset($_GET['gmw_tracking']) && $_GET['gmw_tracking'] == 'opt_in') {
02 Aug

Plugin New to WordPress Plugin Directory with “400,000+ Installs” Is Lacking Basic Security

The plugin Essential Grid Portfolio – Photo Gallery was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 400,000+ installs, so we were alerted to its closure. When we started looking in to the plugin to see if there were any vulnerabilities we should be warning users of the plugin that also use our service, we found that the situation with the plugin seemed odd. The plugin has 400,000+ installs, but was only added to the Plugin Directory on July 22.

In looking into what might explain that discrepancy led us to some oddities. Here is the bio for the developer on their website, navyplugins.com: [Read more]

01 Aug

Settings Change to Persistent Cross-Site Scripting (XSS) Vulnerability in WP Shopify

Limiting information on vulnerabilities being fixed in WordPress plugins isn’t a great idea as we were reminded of this week when the discoverer of a vulnerability didn’t disclose it until after hackers had started more widely exploiting the vulnerability, leaving most everyone else in the dark about what was going on (customers of our service we were warned before the widespread hacking happened because we do the work to keep ahead of things). Another reason for providing information in a timely manner is that often vulnerabilities haven’t been fully fixed or there are more related vulnerabilities that haven’t been fixed. That is the case with the plugin WP Shopify where when went to look into the possibility that a vulnerability had been fixed we spotted what turned out to be related unfixed vulnerability before we even figured out what the vulnerability fixed was.

The additional vulnerability allows even those not logged in to WordPress to change the plugin’s settings and place malicious JavaScript code in to settings, which is referred to persistent cross-site scripting (XSS). Like an increasing number of vulnerabilities this one involves code that runs through WordPress REST API, which means it is something that would be caught if we had been hired to do a security review of the plugin. [Read more]

19 Jul

A Hacker Looks to be Probing for the WordPress Plugin Easy Property Listings, These Vulnerabilities Might Be Why

Yesterday we had what looks to be a hacker probing for usage of the plugin Easy Property Listings through requests for these two files:

/wp-content/plugins/easy-property-listings/license.txt [Read more]

11 Jul

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Responsive Coming Soon

This post provides the details of a vulnerability in the WordPress plugin Responsive Coming Soon not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]