Login

Tag Archives: Vulnerability Report

11 Nov 2021

CSRF/Settings Change Vulnerability in Visitor Traffic Real Time Statistics

A recent thread on the WordPress Support Forum claims the WordPess plugin Visitor Traffic Real Time Statistics led to a website being hacked. The claim isn’t backed up with any evidence to support it and claims like that are often incorrect, but we wanted to quickly check over the plugin to make sure there wasn’t an obvious issue that could cause that currently exists in the plugin. What we immediately found was that the plugin isn’t properly secured, and it contains a minor vulnerability. Making the insecurity stand out more is that at the end of September, the developer claimed to have addressed the type of vulnerability we found, but hadn’t even made changes that should address it.

There appear to be other security issues in the plugin as well, so we would recommend not using the plugin unless the developer can show that they are able to properly secure the plugin. [Read more]

2 Nov 2021

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Ivory Search

Yesterday, the WordPress plugin Ivory Search was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 70,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin contains code that looks to not be properly secured and confirmed that it contains at least a minor vulnerability. We would recommend not using the plugin unless it has received a thorough security review and all the issues are addressed.

We tested and confirmed that our new firewall plugin for WordPress protected against the proof of concept below, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. [Read more]

29 Oct 2021

WordPress Security Plugin’s Lack of Security Allows For Easy Disabling of Its Functionality

What probably goes a long way towards explaining why WordPress security plugins provide so little protection against the exploitation of vulnerabilities in other plugins is the developers of those plugins don’t have a great understanding of security. That is partially backed up by how often security vulnerabilities are found in security plugins. The latest example of a security plugin we have found to contain a vulnerability, involves a newer plugin, Headers Security Advanced & HSTS WP, which has this text in the first paragraph of its description in the WordPress Plugin Directory:

it allows you to securely and quickly customize your login page URL. It does not rename or replace files, add rewrite or read rules. The wp-admin directory and the wp-login.php page will no longer go, remember to bookmark the URL or wherever you prefer so you can remember the login url. Deactivating this plugin will return your site configuration exactly to the state it was in before. [Read more]

28 Oct 2021

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WC Designer

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, a PHP object injection vulnerability, in the plugin WC Designer.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

27 Oct 2021

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Closed WordPress Plugin Responsive Menu

On Monday, the WordPress plugin Responsive Menu was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 100,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin contains a fairly serious security vulnerability, an authenticated persistent cross-site scripting (XSS) vulnerability, as well as other vulnerabilities because of the poor security of the code.

We tested and confirmed that two of the existing protections in our new firewall plugin for WordPress would individually stop exploitation of the authenticated persistent XSS vulnerability, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. An additional protection being added to the plugin in the next release, based on a vulnerability fixed and exploited in another plugin last week, also would provide protection against this. [Read more]

26 Oct 2021

Reflected Cross-Site Scripting (XSS) Vulnerability in Quiz And Survey Master

Yesterday, the WordPress plugin Quiz And Survey Master was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin.

In June, while looking in the possibility there had been a vulnerability fixed in the plugin, we found a fairly serious vulnerability in the plugin, so the poor quality of the security we found this time wasn’t surprising. While we didn’t quickly find a serious vulnerability, we did easily confirm that there is a reflected cross-site scripting (XSS) vulnerability that currently exists in the plugin. [Read more]

25 Oct 2021

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Event Calendar

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, a PHP object injection vulnerability, in the plugin Event Calendar.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

20 Oct 2021

Authenticated Arbitrary File Deletion Vulnerability in Smart Grid-Layout Design for Contact Form 7

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file deletion vulnerability, in the plugin Smart Grid-Layout Design for Contact Form 7 (CF7 Smart Grid Design Extension).

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]