Login

Tag Archives: Slider Hero

12 Nov 2018

Vulnerability Details: Authenticated PHP Object Injection Vulnerability in Slider Hero

Last week we full disclosed an authenticated PHP object injection vulnerability in the plugin OptionTree and then the same vulnerability in two plugins released by a single developer that contained the OptionTree plugin in them, which we had noticed due the changelog for OptionTree popping up in our monitoring of changelog changes. That occurred again with another of the plugins by the same developer, Slider Hero. Though this time as the OptionTree plugin was being removed from the plugin, which fixes the vulnerability.

[Read more]

6 Sep 2018

Vulnerability Details: Cross-Site Request Forgery (CSRF) Vulnerability in Slider Hero

One of WordPress’ strengths is the number of plugins that are available, but that also leads to additional security issues since you have a lot or reinventing the wheel, where a new plugin is created that does something already done with existing plugins. What we have found is that can lead to security issues that already were fixed in older plugins coming back again with new plugins.  In our monitoring of changes being made to plugins to try to provide fuller information on vulnerabilities than we could by just including data on vulnerabilities where there has been a report put out by the discoverer of the vulnerability, we ran across a similar, but more problematic situation, where a developer actually removed security code from their own plugin.

[Read more]