Login

Tag Archives: Shortcode Execution

9 Jun 2023

Our Proactive Monitoring Caught a Shortcode Execution Vulnerability in a Brand New WordPress ChatGPT Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a type of vulnerability that has in the past been combined with a more serious vulnerability and then exploited. That being a shortcode execution vulnerability, which we found in a brand new WordPress plugin. That plugin, ShortcodeGPT, being yet another ChatGPT related plugin that hasn’t been properly secured.

We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]

7 Apr 2023

Shortcode Execution Vulnerability in MapSVG

Over at our main business, we were recently cleaning up a hacked WordPress website. As part of that service, we run the plugins being used on the website through the same software we use to do proactive monitoring to catch serious vulnerabilities being introduced in to WordPress plugins. Through that we caught a couple of less serious vulnerabilities in the commercial plugin MapSVG. In line with our reasonable disclosure policy, we are disclosing the vulnerabilities as the developer hasn’t gotten back to us in a week since we notified them of the vulnerabilities (the developer never fixed a vulnerability we discovered in their free MapSVG Lite in 2019).

One of the vulnerabilities allows those not logged in to WordPress to execute WordPress shortcodes (those logged in are allowed to do that by WordPress). [Read more]

29 Sep 2021

Our Proactive Monitoring Caught a Shortcode Execution Vulnerability in Two WordPress Plugins

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a type of vulnerability that has in the past been combined with a more serious vulnerability and then exploited. That being a shortcode execution vulnerability, which we found in two plugins, Active Products Tables for WooCommerce and TableOn, that look like they might be have been closed on the Plugin Directory for a different security issue. The vulnerability also permits reflected cross-site scripting (XSS) to occur.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

9 Nov 2017

Vulnerability Details: Shortcode Execution Vulnerability in Formidable Forms

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

When Robert Mathews disclosed that an authenticated remote code execution (RCE) vulnerability that had been in the plugin Shortcodes Ultimate was being exploited his description of the issue also indicated that there has been a vulnerability in the plugin Formidable Forms: [Read more]