Login

Tag Archives: Vulnerability Report

13 Oct 2021

WordPress Plugin Review Team’s Review Fails to Catch CSRF Vulnerability Allowing Modification of .htaccess File

If you believe the top person behind WordPress, Matt Mullenweg, new plugins being added to the WordPress Plugin Directory are not being reviewed beforehand:

“Why couldn’t it be more like the plugin directory?” asked Mullenweg. “That has all the same potential issues and has been working pretty well. I’d like it to work just like the plugin directory, with direct access for authors, and most reviews being post-review vs. pre-review.” [Read more]

12 Oct 2021

Our Proactive Monitoring Caught Another Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability, as it was being introduced in to the plugin INK Official. That was the second time we caught that type of vulnerability being introduced in to a plugin in less than a week.

Based on the insecurity leading to this vulnerability, there may be additional security issues and vulnerabilities. [Read more]

11 Oct 2021

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Cooked WordPress Plugin

Several days ago we had what looked to be a hacker probing for usage of a commercial WordPress plugin, Cooked Pro, on one of our websites, by the requesting the following file:

/wp-content/plugins/cooked-pro/modules/dropzone/dropzone.min.css [Read more]

8 Oct 2021

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability, as it was being introduced in to the plugin SCORM Cloud For WordPress.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

6 Oct 2021

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability in WP-Property

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, an arbitrary file upload vulnerability, in the plugin WP-Property.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

5 Oct 2021

The MStore API WordPress Plugin Also Contains an Authenticated Arbitrary File Deletion Vulnerability

Earlier today an unfixed arbitrary file upload vulnerability in the WordPress plugin MStore API  was disclosed through release of exploit code for it. While the information provided with the exploit code claims the vulnerability impacts 2.0.6 and “possibly higher”, the vulnerability actually didn’t exist in that version, but does exist in the latest version of the plugin (information on which versions of the plugin are impacted is included in the data provided by our service). Earlier today the developer made a change that looks like it was an attempt to fix this, while not raising the version number of the plugin, so anyone already using the latest version of the plugin wouldn’t be provided with the attempted fix. That doesn’t matter much, as the change doesn’t fix the issue, just makes exploiting a bit more complicated.

As of posting this, the plugin remains in the WordPress Plugin Directory despite the plugin having a publicly known vulnerability that is of a type hackers are very likely to exploit. [Read more]

29 Sep 2021

Our Proactive Monitoring Caught a Shortcode Execution Vulnerability in Two WordPress Plugins

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a type of vulnerability that has in the past been combined with a more serious vulnerability and then exploited. That being a shortcode execution vulnerability, which we found in two plugins, Active Products Tables for WooCommerce and TableOn, that look like they might be have been closed on the Plugin Directory for a different security issue. The vulnerability also permits reflected cross-site scripting (XSS) to occur.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

27 Sep 2021

Another One of the 100 Most Popular WordPress Plugins Has a Security Vulnerability Related to Usage of extract()

On Friday, we noted that five of the 100 most popular WordPress plugins were using the extract() function insecurely. While none of those plugins look to have an obvious vulnerability due directly to the usage of extract(), we mentioned in the previous post that we had confirmed that one of the plugins, with 1+ millions installs, had a vulnerability related to its usage. We have now confirmed that the same type of issue exists in another plugins, Ocean Extra. That plugin is a companion to the OceanWP theme and has 700,000+ installs according to WordPress’ stats.

We tested and confirmed that our upcoming firewall plugin for WordPress protects against the exploitation of this vulnerability. [Read more]

24 Sep 2021

Five of the 100 Most Popular WordPress Plugins Are Insecurely Using the extract() Function

Last week we noted that the most popular WordPress security plugin, Jetpack, was insecurely using PHP’s extract() function. It turns out that it isn’t alone among the most popular WordPress plugins, as running the 100 most popular plugins in the WordPress Plugin Directory through our Plugin Security Checker identified four more plugins that are similarly insecure. Jetpack is the most popular with 5+ million installs according to WordPress’ stats, but the others are also have large install counts:

As we noted in the previous post, the documentation for the extract() function has this warning: [Read more]

22 Sep 2021

Recently Closed WordPress Plugin With 30,000+ Installs Contains Type of Vulnerability Hackers Target

The WordPress plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory on Monday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities that we should be warning users of the plugin that also use our service, we found just such a vulnerability in the plugin. The plugin has a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which would allow an attacker to cause JavaScript code to be run on the website. The latter vulnerability is a type that hackers are known to target.

We tested and confirmed that our upcoming firewall plugin for WordPress protects against the exploitation of the persistent cross-site scripting (XSS) vulnerability. [Read more]