Vulnerability Report

22 Sep 2021

Recently Closed WordPress Plugin with 40,000+ Installs Contains Authenticated Persistent XSS Vulnerability

The WordPress plugin Timetable and Event Schedule was closed on the WordPress Plugin Directory on Monday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found multiple insecurities and we confirmed that there is an authenticated persistent cross-site scripting (XSS) vulnerability.

There also appears to be a related authenticated SQL injection vulnerability, though we didn’t confirm that. We would recommend not using the plugin until a thorough security review is done and additional security issues are addressed. [Read more]

21 Sep 2021

Gutenberg Blocks Plugin with 40,000+ Installs Contains Multiple Vulnerabilities

The WordPress plugin Getwid, which contains “a collection of 40+ Gutenberg blocks”, was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains at least an authenticated information disclosure vulnerability and cross-site request forgery (CSRF)/settings change vulnerability. Both of those involve an Instagram access token.

Authenticated Information Disclosure

The plugin registers the function get_instagram_token() to be accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]

17 Sep 2021

WordPress Plugin Directory Team Again Allows Incredibly Insecure Plugin in to Directory Despite Doing “Security Review”

Last week we noted that despite every new WordPress plugins being added to the WordPress Plugin Directory having supposed to have gone through a manual review first, including a security review, plugins that should never be approved are. A possible explanation for that is that there is a fabulist running the team handling the directory, Mika Epstein, who is claiming to do reviews they are not. Fairly prominently on the WordPress website, they claim to have reviewed 46,800 plugins, despite that being hard to believe possible to do as a part-time volunteer:

[Read more]

10 Sep 2021

Does a Fabulist Explain Why The Security Reviews of New WordPress Plugins Are Not Happening?

August 13th the WP Tavern, which is owned by WordPress and Automattic head Matt Mullenweg, published a post written by Sarah Gooding that presented an inaccurate view of the state of the security of WordPress plugins. The post was about a report based in part on data from a security company named WPScan that has been inflating the number of vulnerabilities in WordPress plugins they claim to be aware of. The story didn’t address that inflation, but instead put forward this claim to explain what is actually being caused, at least largely, by that inflation:

Both Wordfence and WPScan claim that the greater number of vulnerabilities reported this year is indicative of the growth of the WordPress ecosystem and a maturing, healthy interest in security. Themes and plugins aren’t getting more insecure over time but rather there are more people interested in discovering and reporting vulnerabilities. [Read more]

31 Aug 2021

WordPress Plugin with 100,000+ Installs Closed On Plugin Directory Today is Insecure

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in an instances where a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was because of a vulnerability.

Today the plugin qTranslate X, which has 100,000+ installs, was closed. No reason has been given for the closure. While we didn’t find any obvious serious security issues in a quick check, what we did find is that the plugin is insecure and some of that insecurity is hard to follow, so it is possible that it has a more serious issue that is difficult to spot. [Read more]

30 Aug 2021

Hacker Targeted WooCommerce Stock Manager Still Lacking Basic Security After Wordfence Checked Plugin

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website on Saturday for the plugin WooCommerce Stock Manager by requesting this file:

/wp-content/plugins/woocommerce-stock-manager/readme.txt [Read more]

27 Aug 2021

Hackers Certainly Could Be Interested in Exploiting this Vulnerability in the Simple eCommerce WordPress Plugin

Earlier this week had what looked to be a hacker probing for usage of the WordPress plugin Simple eCommerce on our website with this request:

/wp-content/plugins/simple-e-commerce-shopping-cart/readme.txt [Read more]

23 Aug 2021

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, a PHP object injection vulnerability, being introduced in to the plugin Contact List.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

11 Aug 2021

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Picture Gallery

A new report claims that there is a stored cross-site scripting (XSS) vulnerability in the WordPress plugin Picture Gallery. Like a lot of recent reports this isn’t really a vulnerability as the attacker would need to be logged in to WordPress as an Administrator to exploit this. But while confirming that was in fact the case, we found that there is actually a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in somewhat related code in the plugin.

With the supposed vulnerability, it involves accessing a page only accessible to those with the manage_options capability, so Administrators: [Read more]