Vulnerability Report

6 Aug 2021

Our Proactive Monitoring Caught a Persistent Cross-Site Scripting (XSS) Vulnerability in a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught one of the most serious vulnerabilities, a persistent cross-site scripting (XSS) vulnerability in the plugin WIP Custom Login.

The automated portion of that monitoring flagged the following line of code because of the possibility that it could permit PHP object injection to occur: [Read more]

5 Aug 2021

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught one of the most serious vulnerabilities, if not the most serious, an arbitrary file upload vulnerability being introduced in to the plugin WP Agora.io (Agora Video for WordPress). We have caught that before it has been made generally available, as it exists in the beta version of version 3.0.0 of the pluign.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

3 Aug 2021

Wordfence Advisory Fails to Warn That WordPress Plugin with 100,000+ Installs Is Currently Very Insecure

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we can quickly warn our customers of any unfixed vulnerabilities that hackers are likely targeting. On Sunday we had what looked to be a hacker probing for usage of the WordPress plugin WordPress Download Manager, which has 100,000+ active installation according to wordpress.org, on our website with this request:

/wp-content/plugins/download-manager/readme.txt [Read more]

23 Jul 2021

The WordPress Coding Standards for PHP_CodeSniffer Only Provides Limited Security Checking

One of the changelog entries for the latest version of the WordPress plugin WCFM Membership is:

Enhance – Many security check improved [Read more]

21 Jul 2021

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in One of 10Web’s Plugins

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/arbitrary file upload vulnerability in the plugin 10WebEcommerce. The developer of that plugin, 10Web, also offers what they claim is the “Most Trustable WordPress Security Service”, despite this not being the first time we have run in to a vulenrability in one of their plugins recently.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

19 Jul 2021

WordPress Plugin Backup Migration Provides Anyone Access to its Backups

The changelog for the latest release of the WordPress plugin Backup Migration indicates that there was security improvement:

Added secret keys for restore process – should be much more secure now [Read more]

13 Jul 2021

Authenticated Persistent Cross-Site Scripting Vulnerability in Google Language Translator WordPress Plugin

The most recent version of the WordPress plugin Google Language Translator, 6.0.10, includes a change that “added url satinization to avoid XSS injections”. There are a couple of problems with that. First, because of the way the developer added the new version, it is not being made available either to existing or new users of the plugin. They are both being provided with 6.0.9 still. Second, the escaping (not sanitization) added, is missing elsewhere in the same lines of code, leading to an authenticated persistent cross-site scripting (XSS) vulnerability still being in the plugin.

We confirmed that there is an exploitable instance of this with the first line that was changed in the new version. [Read more]

9 Jul 2021

WP Encryption is Another WordPress Security Plugin Lacking Basic Security

On Monday we discussed yet another WordPress plugin offering to provide security to WordPress websites that is lacking basic security itself. That appears to be a pretty common issue based on how often we run across it. Later on Monday we ran across it again, as we happened to do a quick check of the plugin WP Encryption, which has 40,000+ installations according to wordpress.org, and found that it is lacking basic security.

With this plugin, there is odd issue where they are missing one security check in one place, but included it elsewhere, while missing another one there. So the developer appears to be aware of the security checks they should have, but doesn’t understand that they need to implement them all, all the time. [Read more]

8 Jul 2021

Authenticated Persistent Cross-Site Scripting (XSS) in Ultimate Responsive Image Slider

The changelog for the latest version of the plugin Ultimate Responsive Image Slider is:

Security issue fixed [Read more]

7 Jul 2021

Privilege Escalation Vulnerability in WP Google Map

The changelog for the latest version of the WordPress plugin WP Google Map is:

Security improvement [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Vulnerability Report