Login

Tag Archives: Tidio Chat

30 Sep 2022

Not Really a WordPress Plugin Vulnerability, Week of September 30

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Information Disclosure in Tidio Chat

The changelog for version 5.3.0 of Tidio Chat is: [Read more]

5 Nov 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF) in Tidio Chat

One of the changelog entries for the latest version of Tidio Chat is “Use nonce system”. That isn’t something you want to see in a changelog, since it would seem to indicate the plugin, which has 60,000+ installs, has been lacking protection against cross-site request forgery (CSRF). Looking at the changes made in that version that turned out to be the case with three AJAX accessible functions. What seems like it would be of most concern with that is that the plugin’s public and private keys could be changed through that.

[Read more]