18 Sep

Vulnerability Details: CSRF/XSS Vulnerability in File Manager (WP File Manager)

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. The changelog entry for version 3.1 of the plugin File […]

10 Sep

Vulnerability Details: Authenticated Arbitrary File Viewing Vulnerability in Contact Form 7

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. As we mentioned 11 months ago we receive quite a […]

06 Sep

Vulnerability Details: Cross-Site Request Forgery (CSRF) Vulnerability in Slider Hero

One of WordPress’ strengths is the number of plugins that are available, but that also leads to additional security issues since you have a lot or reinventing the wheel, where a new plugin is created that does something already done with existing plugins. What we have found is that can lead to security issues that […]

05 Sep

Hackers Will Try To Exploit Vulnerabilities in WordPress Plugins in Ways That Will Never Succeed

One the things we find rather telling about the security industry is that they seem to find various statistics valuable, but ones they seem to be totally uninterested in are any that would actually show that their products and services are actually effective at protecting websites (despite that seeming like it should be a prerequisite […]

08 Aug

Arbitrary File Upload Vulnerability Being Exploited in Current Version of Ultimate Member

The WordPress plugin Ultimate Member was recently brought on to our radar after it had been run through our Plugin Security CheckerĀ and that tool had identified a possible vulnerability in it. We happened to take a look into that as part of continued effort to improve the results coming from that tool. We confirmed that […]

04 Jun

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Form Maker

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. We often find that the various things that we do […]

21 May

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Ultimate Member

One of the things that we appear to uniquely do in compiling data on vulnerabilities in WordPress plugins is that is that we fully review and test out vulnerabilities when adding them to our data set. That means that unlike other sources we won’t falsely tell people that an unfixed vulnerability has been fixed. It […]

21 May

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Open Graph for Facebook, Google+ and Twitter Card Tags

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. The changelog entry for version 2.2.41 of the plugin Open […]

21 May

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Custom css-js-php

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. A week and a half ago we detailed a reflected […]

17 May

Vulnerability Details: CSV Injection Vulnerability in WordPress Comments Import & Export

From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. Changelog entries are not always a great place for […]