14 Oct

WordPress Plugin Copies Security Vulnerabilities From Another Plugin

When it comes to insecure code in WordPress plugins, beyond insecure code written by the developers, we often find that the developers have included code created by others without reviewing its security first (that even has been the case with popular security plugins). Recently multiple security issues were fixed in the plugin Sliced Invoices, while looking into that we found that plugin Tradies has copied a significant amount of code from that plugin and still contains those vulnerabilities, so significant that if you try to activate Tradies with Sliced Invoices already activated (or vice versa) it won’t work because a class name is reused. While that is permitted by the GPL, there isn’t a copyright statement indicating the source of the code (which isn’t the first time we have seen that done with copied code).

As an example of the insecure code copied, let’s take a look at the code to handle exporting the plugin’s quotes and invoices. [Read more]

07 Oct

What Security Review? Brand New WordPress Plugin Contains Authenticated Arbitrary File Upload Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the brand new plugin Word Of The Day, which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it possibly contained an arbitrary file upload vulnerability, which is a type of vulnerability likely to be exploited. In reviewing this we found that it does contain authenticated variant of that, which can also be exploited through cross-site request forgery (CSRF).

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have also long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]

27 Sep

Our Proactive Monitoring Caught an Authenticated Persistent XSS Vulnerability in Request a Quote

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin Request a Quote. That is a type of vulnerability appears to have been a type that hackers have been looking for undisclosed vulnerabilities to exploit recently, so finding it before them is a very good thing. The vulnerability is identical to the vulnerability we found in another plugin by the same developer through this same monitoring last week.

The vulnerability is due to multiple security failures, as if often the case. The plugin registers the function emd_insert_new_shc() to be accessible by those logged in to WordPress: [Read more]

21 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in WPeMatico RSS Feed Fetcher

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There seems to be an ongoing hacker campaign exploiting previously undisclosed vulnerabilities as in the past couple of weeks there have eight plugins that we have seen hackers newly probing for and number nine is WPeMatico RSS Feed Fetcher (WPeMatico), for which there was probing on our website today by requesting these files:

  • /wp-content/plugins/wpematico/readme.md
  • /wp-content/plugins/wpematico/readme.txt
  • /wp-content/plugins/wpematico/app/js/campaign_wizard.js

In looking at the plugin we found that, like a number of the other plugins, it contains a persistent cross-site scripting (XSS) vulnerability. [Read more]

21 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in DELUCKS SEO

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There seems to be an ongoing hacker campaign exploiting previously undisclosed vulnerabilities as in the past couple of weeks there have been seven plugins that we have seen hackers newly probing for and today we saw number eight, DELUCKS SEO, for which there was probing on our website today by requesting these files:

  • /wp-content/plugins/delucks-seo/readme.txt
  • /wp-content/plugins/delucks-seo/assets/tagEditor/readme.md

In looking at the plugin we found that, like a number of the other plugins, it contains a persistent cross-site scripting (XSS) vulnerability. There appear to be other related security issues as well. [Read more]

19 Sep

Would This Settings Change Vulnerability in NBDesigner Be What Hackers Are Interested In?

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we found that yesterday a hacker looks to be probing for usage of the plugin NBDesigner, which has 2,000+ installs, by requesting the following files:

  • /wp-content/plugins/web-to-print-online-designer/assets/js/dokan.js
  • /wp-content/plugins/web-to-print-online-designer/changelog.txt

That plugin was closed on the Plugin Directory on September 8 for an unspecified reason. [Read more]

19 Sep

Recently Closed WordPress Plugin with 100,000+ Installs Contains Reflected XSS Vulnerability

The plugin Click to Chat was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 100,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a reflected cross-site scripting (XSS) vulnerability.

In a reminder of the general insecurity of WordPress plugins that vulnerability appears unrelated to the cause of the closure, as there was a change made to the plugin since its closure which involved renaming the plugin from Click to Chat for WhatsApp. [Read more]

19 Sep

Recently Closed WordPress Plugin with 100,000+ Installs Contains Vulnerability Hackers Would be Interested In

The plugin Easy Social Feed was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 100,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a type of vulnerability that hackers would likely be interested in exploiting, an authenticated persistent cross-site scripting (XSS) vulnerability. We found that immediately when we started looking into the plugin, so there may be more issues. Considering how insecure the code leading to this is, we would recommend only using this plugin if it has gone through a thorough security review.

In a reminder of the general insecurity of WordPress plugins that vulnerability appears unrelated to the cause of the closure, as there was a change made to the plugin since its closure which involved renaming the plugin from Easy Facebook Likebox and the Subversion message when doing that was “Facebook name changed because of compliance”. [Read more]

19 Sep

Our Proactive Monitoring Caught an Authenticated Persistent XSS Vulnerability in a WordPress Plugin with 6,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin Youtube Showcase (YouTube Gallery). That is a type of vulnerability appears to have been a type that hackers have been looking for undisclosed vulnerabilities to exploit recently, so finding it before them is a very good thing.

The vulnerability is due to multiple security failures, as if often the case. The plugin registers the function emd_insert_new_shc() to be accessible by those logged in to WordPress: [Read more]

18 Sep

Hackers May Already be Targeting this Persistent XSS Vulnerability in Social Metrics Tracker

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins. Last week through that we found two plugins with unfixed vulnerabilities that hackers would likely target. With a third plugin someone else had figure out what hackers would likely target before us (we are making changes to our process to improve our ability to quickly spot issues like that one). On Monday we disclosed vulnerabilities a couple more unfixed vulnerability based on plugins we saw probed earlier this week. And we are having to do that again as today we saw an apparent hacker probing for usage of the plugin Social Metrics Tracker by requesting these files:

  • /wp-content/plugins/social-metrics-tracker/readme.txt
  • /wp-content/plugins/social-metrics-tracker/js/social-metrics-tracker.js

Like a number of the previous plugins this has a number of apparent security issues. With this one there is the possibility of there being a reflected cross-site scripting (XSS) flagged by our Plugin Security Checker, but the most serious obvious vulnerably we found was a persistent cross-site scripting (XSS) vulnerability. That has was an issue with some of the previous plugins and some others had an authenticated variant of that, so that might be what hackers are looking to exploit here. [Read more]