Login

Tag Archives: Ultimate FAQ

5 Aug 2019

Vulnerability Details: Privilege Escalation in Ultimate FAQ

With our full disclosures of vulnerabilities in protest of the continued inappropriate behavior of the WordPress Support Forum Moderators, one of the criticisms we have gotten is that we are notify our customers before disclosing the vulnerabilities, despite that not being the case. We have always publicly disclosed vulnerabilities at the same time we start warning our customers of them, doing otherwise would raise some serious ethical issues. Other security providers don’t follow that type of practice, one of them being the makers of the NinjaFirewall plugin. One of the vulnerabilities they are attempting to protect their customers from (though probably only doing so partially) that they haven’t publicly disclosed is a privilege vulnerability in the plugin Ultimate FAQ.

[Read more]

20 May 2019

Vulnerability Details: Persistent Cross-Site Scripting (XSS) in Ultimate FAQ

Recently we had a fair amount of traffic coming to our post detailing a reflected cross-site scripting (XSS) vulnerability in the plugin Ultimate FAQ, which seemed odd since that was a minor vulnerability unlikely to be exploited. It looks like the explanation for that is that hackers are actively exploiting a persistent cross-site scripting (XSS) vulnerability in the plugin that was fixed 20 months ago. While reviewing the log files of hacked WordPress website we were cleaning over at our main business we saw repeated requests for the following URL:

[Read more]

7 May 2019

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Ultimate FAQ

In a previous post today we mentioned a recent example of the moderators of WordPress Support Forum not understanding what the disclosure of a vulnerability is, but even when they correctly identify that they don’t seem to ever understand that continually deleting these disclosures instead of providing a better mechanism for reporting vulnerabilities isn’t working. That occurred just today with a reflected cross-site scripting (XSS) vulnerability in Ultimate FAQ. One of the moderators left this message for someone disclosing that:

[Read more]