1 Aug 2019

WordPress Plugin Directory Team Missed Possible Settings Change Vulnerability in Simple Membership

The plugin Simple Membership was closed on the WordPress Plugin Directory Monday of last week. That appears to have been due to a relatively minor vulnerability. It also appears that the team running the Plugin Directory required additional security improvements based on the changes made after that was fixed. What they missed was to us an obvious issue, it was so obvious we had noticed it almost immediately, and only noticed the issue the looks to have led to the closure after more checking. Since it isn’t a vulnerability on its own, we waited a bit to see if anyone else noticed, but it would seem not, since it still is in the plugin more than a week after the plugin was reopened.

The plugin registers the function admin_init_hook() to run during “admin_init”: [Read more]

23 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF) in Simple WordPress Membership (Simple Membership)

The plugin Simple WordPress Membership (Simple Membership) was closed on the Plugin Directory yesterday. That is one of the 1,000 most popular plugins, so we were alerted to its closure. While we were looking in to the plugin to see if there were any vulnerabilities, one issue we had already noticed was fixed with a new version. That being a cross-site request forgery (CSRF) vulnerability with the actions normally taken from the Bulk Operations tab of the plugin’s main admin page, which would allow an attacker to cause someone that is allowed to take those actions to take them without intending it.


[Read more]

13 Oct 2017

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Simple Membership

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.


[Read more]