12 Dec

Our Proactive Monitor Caught Another Authenticated Option Update Vulnerability in a WordPress Plugin That Could Disable Websites

On Monday while disclosing another option update vulnerability we noted that in the wake of one of those being widely exploited recently we had focused on finding more of those vulnerabilities, while it appears no one else in the WordPress security has done that (maybe because they can get away with lying about failing to protect [Read more]

11 Dec

A New Addition to Our Proactive Monitoring Caught an Arbitrary File Viewing Vulnerability in a WordPress Plugin in Less Than a Day

Earlier today we noted in detailing an arbitrary file viewing vulnerability that had been fixed in a WordPress plugin that in looking at the code from that we made improvement to our detection of that type of vulnerability in our proactive monitoring of changes being made to  plugins to try to catch serious vulnerabilities when they [Read more]

10 Dec

Our Improved Proactive Monitoring Caught Another Authenticated Option Update Vulnerability in a WordPress Plugin

Our Vulnerability Details posts provides the details of a vulnerability we didn’t discover and access to it is limited to customers of our service, unlike the posts on vulnerabilities we have discovered and are freely available.For existing customers, please log in to your account to view the rest of the post.If you are not currently [Read more]

06 Dec

Closure of Modula Image Gallery Leads to Disclosure of Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in It

Last week we started monitoring for closures of the 1,000 most popular WordPress plugins and that alerted to us the plugin Modula Image Gallery, which has 40,000+ active installations and was closed yesterday. There have been two new versions released since it was closed. The first 1.3.4 has a changelog entry of “wp.org review” and [Read more]

06 Dec

Here Is Yet Another Vulnerability Spotted by Our Plugin Security Checker in the WordPress Plugin Ultimate Member

The WordPress plugin Ultimate Member was the cause of too many websites being hacked back in August, we say too many because the developer didn’t promptly fix a vulnerability that was being exploited for some inexplicable reason. It probably then isn’t surprising that as we improve our Plugin Security Checker, an automated tool that you [Read more]

06 Dec

Our Improved Proactive Monitoring Has Now Caught a Local File Inclusion (LFI) Vulnerability As Well

As we have noted already this week, we have just made a major improvement to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check [Read more]

05 Dec

Our Improved Proactive Monitoring Already Caught Another Option Update Related Vulnerability in a WordPress Plugin

Yesterday we noted that our newly improved proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible [Read more]

04 Dec

Our Proactive Monitoring Caught a WordPress Plugin Vulnerability That Could Cause a Website to be Fully Disabled

Back in June of last year we started doing proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins. Elements of that then became part of the basis of our Plugin Security Checker, an automated tool any one can use to check for [Read more]

03 Dec

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in Security Related WordPress Plugin

A few weeks ago we full disclosed a fairly serious vulnerability in a security plugin with 70,000+ installs designed to log WordPress user activity (probably in large due part to the people on the WordPress side of things, that vulnerability hasn’t been fixed so far), through our our proactive monitoring of changes made to plugins in [Read more]

30 Nov

Our Proactive Monitoring Caught a Remote Code Execution (RCE) Vulnerability in the WordPress Plugin PropertyHive

With the recently widely exploited WordPress plugin WP GDPR Compliance there were two serious vulnerabilities that were fixed before one of them was widely exploited, there was also another issue that was fixed and brought up in passing at the time, but we were left unclear as the seriousness of, that being ability to pass [Read more]