21 Mar

Full Disclosure of Settings Change/Persistent Cross-Site Scripting (XSS) Vulnerability in Social Warfare

With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we review a lot of code that ends up not being vulnerable, so even if the flagged code looks rather concerning it doesn’t raise a lot of concern at first for us even, if like [Read more]

18 Mar

Vulnerability Details: Option Update Vulnerability in Easy WP SMTP

This Vulnerability Details post about a vulnerability in the plugin Easy WP SMTP provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a [Read more]

01 Nov

The Head of the Plugin Directory Mika Epstein Seems Like the One Acting Stupidly Here

When it comes to improving the security of WordPress plugins the two things that stand out that are of most need and have been for years, are warning people when they are using vulnerable plugins and for serious vulnerabilities, which are likely to be exploited, putting out fixes if the developer doesn’t. The reason that [Read more]

16 Aug

Settings Change Vulnerability in Asgaros Forum

One of the ways we make sure we have the best data on vulnerabilities in WordPress plugins is by monitoring the WordPress Support Forum for threads possibly related to those. Through that today we ran across a thread started earlier today that seemed to indicate malicious .php files were being uploaded through the Asgaros Forum plugin. Looking [Read more]

18 Jul

Settings Change Vulnerability in Total Security

We were recently doing some basic security checks over WordPress security plugins and identified a possible issue in the plugin Total Security. While the issue we first were looking into turned out to not be exploitable, we noticed a couple of other security vulnerabilities in the plugin. The first being a persistent cross-site scripting (XSS) vulnerability. The [Read more]