02 Jan

What Happened With WordPress Plugin Vulnerabilities in December 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during December (and what you have been missing out on if you haven’t signed up yet): [Read more]

20 Dec

Vulnerability Details: Arbitrary Email Sending Vulnerability in Sharexy

This post provides the details of a vulnerability in the WordPress plugin Sharexy not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service.

If you were using our service you would have already been warned about this vulnerability if your website is vulnerable due to it. [Read more]

20 Dec

Is a Hacker Targeting This Plugin Thinking It Has Vulnerability It Doesn’t?

One of the problems we sometimes run into checking over plugins that hackers look to be targeting is that hackers don’t always have a good understanding of what they are doing. We have seen in them trying to exploit vulnerabilities that don’t exist and trying to exploit vulnerabilities in a way that won’t ever succeed. The former issue can be caused by false or inaccurate reports of vulnerabilities released by others and the latter due to a lack of testing before trying to exploit them on other people’s websites.

Recently we had a request on this website for a file that would be located at  /wp-content/plugins/gallery-plugin/upload/php.php. That is a file that existed in older versions of the plugin Gallery by BestWebSoft. That would seem to be an attempt to exploit a claimed arbitrary file upload vulnerability in older versions of the plugin. Depending on how you define things, though, that wasn’t an arbitrary file upload vulnerability, as the extension type of the files that can be uploaded is limited to “jpeg”, “jpg”, “gif”, and “png”. In the proof of concept it shows uploading a file named “lo.php.gif”. Normally web browsers only pay attention to a file’s final extension, so even if you were to upload a file with PHP code and that file name, it wouldn’t run. [Read more]