16 Oct

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in WooCommerce Order Export and More

The other day while looking for information on a vulnerability possibly related to a plugin that exports order information from WooCommerce we ran across a report of an unrelated possible vulnerability in the plugin WooCommerce Order Export and More from php-grindr. That report pointed to the value of the GET or POST input “tab” being set to [Read more]

15 Oct

Full Disclosure of Cross-Site Request Forgery (CSRF)/User Import Vulnerability in RSVPMaker for Toastmasters

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used [Read more]

10 Oct

Reflected Cross-Site Scripting (XSS) Vulnerability in Testimonial Slider

In a post earlier today we mentioned running across mention of the plugin Testimonial Slider being removed from the Plugin Directory and the cause of that. While doing a bit of checking over the plugin we found another minor vulnerability (and there certainly could be more as the code we looked at isn’t securely written), [Read more]

09 Oct

The WordPress Plugin Directory Team Should Spend Their Time Avoiding Issues Like This Instead of Acting Inappropriately as Forum Moderators

On day two of our doing  full disclosures of WordPress plugin vulnerabilities until the  inappropriate handling of the moderation of the WordPress Support Forum is cleaned up we disclosed a couple of easily spot table exploitable vulnerabilities that were in brand new plugins. As we noted then that shouldn’t be happening since there is supposed to [Read more]

04 Oct

Our Proactive Monitoring Caught a Restricted File Upload Vulnerability in VendorFuel

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities before they are exploited. While we have a number of automated checks that are used [Read more]

02 Oct

Reflected Cross-Site Scripting (XSS) Vulnerability in Bitcoin Faucet

Recently we ran the plugin Bitcoin Faucet through our automated tool for checking over the security of WordPress plugins and it identified a possible reflected cross-site scripting vulnerability (XSS) in the plugin: Unless the user input was sanitized or validated those should lead to vulnerabilities, since malicious JavaScript could output through that code. The contents of [Read more]

01 Oct

Full Disclosure of CSRF/LFI Vulnerability In Plugin With 30,000+ Active Installs

The description of the plugin Companion Auto Update, which has 30,000+ active installations according to wordpress.org, starts with the message: KEEP YOUR WEBSITE SAFE! But the plugin itself introduces a cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability, as we found while doing some checking of the 1,000 most popular plugins in the Plugin Directory against [Read more]

28 Sep

Full Disclosure of Reflected Cross-Site Scripting (XSS) Vulnerability in Plugin with 30,000+ Active Installs

To close out our first week of full disclosing vulnerabilities in WordPress plugins until the people on the WordPress side of things finally clean up the moderation of their Support Forum, we return back to something from the first day and a reminder of an example of why the Support Forum moderators behavior is harmful to [Read more]

26 Sep

WordPress Lets Two More Plugins With Easy to Spot Exploitable Vulnerability in to the Plugin Directory

For the second day of our full disclosures of WordPress plugin vulnerabilities due to the continuing inappropriate handling of the moderation of the WordPress Support Forum we are focusing on something that relates to the larger problem when it comes to handling security by the WordPress team. Part of what makes the inappropriate moderation of [Read more]