07 Feb

Another One of the 1,000 Most Popular WordPress Plugins Contains a CSRF/XSS Vulnerability

Among the many things we do to provide our customers with the best data on vulnerabilities in any WordPress plugins they use is that we keep track of any of the 1,000 most popular plugins being closed on the WordPress Plugin Directory in case that might be due to a security vulnerability. Yesterday one of [Read more]

04 Feb

The WordPress REST API Opening Up New Front for Security Vulnerabilities in WordPress Plugins

When it comes to the causes of security vulnerabilities in WordPress plugins we haven’t seen something truly new for some time, so that makes something we recently started seeing a pickup of, notable. That being vulnerabilities that are exploitable through WordPress’ REST API. The vulnerabilities are not caused by the REST API, but increasing usage [Read more]

04 Feb

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in Accessibility Suite by Online ADA 

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a restricted file upload vulnerability in the plugin Accessibility Suite [Read more]

01 Feb

Full Disclosure of Authenticated Arbitrary File Deletion Vulnerability in WordPress Plugin with 300,000+ Installs

Yesterday we full disclosed an authenticated arbitrary file upload vulnerability in the WordPress plugin Meta Box, which has 300,000+, that we had spotted as it was introduced in to the plugin. Subsequent to that the plugin was closed on the Plugin Directory and that got flagged as part of our monitoring for the closure of [Read more]

31 Jan

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin with 300,000+ Installs

With our proactive monitoring of changes made to WordPress plugins in the Plugin Directory to try to catch serious vulnerabilities we use software to flag potentially issues (you can check plugins in the same way using our Plugin Security Checker) and then we manually to check over the code. The second part of that can take a [Read more]

30 Jan

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Events Made Easy

Yesterday we disclosed an arbitrary file upload related vulnerability discovered through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities for which the underlying vulnerable code ran despite the user interface for it being disabled. That turns out to not be a one-off issue as our proactive monitoring [Read more]

29 Jan

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in a WordPress Plugin with 70,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a less serious variant of an arbitrary file upload vulnerability [Read more]

28 Jan

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in WordPress Plugin with 100,000+ Installs

As part of our work to further improve our Plugin Security Checker, an automated tool anyone can use to check to see if a WordPress plugin possibly contains security issues, we log the results of check for plugins in the Plugin Directory and do spot checks of those. Through that we found that the plugin, Download Manager, [Read more]

28 Jan

Arbitrary File Deletion Vulnerability in Ad Manager by WD

When it comes to collecting data on WordPress plugin vulnerabilities one of the things that sets us apart is that we check over reports before adding them to our data set, doing that is valuable enough that the company behind the Wordfence Security plugin lies and claims the data they use has been “confirmed/validated” when [Read more]

25 Jan

Reflected Cross-Site Scripting (XSS) Vulnerability in Smart Forms

Earlier today we detailed a failed attempt to fix a reflected cross-site scripting (XSS) vulnerability in the latest version of Smart Forms. When putting together a post detailing a vulnerability discovered by others, we check to see if that vulnerability is something that would have been caught by our Plugin Security Checker, an automated tool anyone can [Read more]