The WordPress plugin Shortcode For Current Date, which has 10,000+ installations according to wordpress.org, is currently closed on the WordPress Plugin Directory with this message:
This plugin has been closed as of July 5, 2021 and is not available for download. This closure is temporary, pending a full review. [Read more]
A week ago we looked at a WordPress plugin promoting that it could improve the security of websites, while the plugin itself lacked basic security. It certainly isn’t alone in that. Take the web host A2’s A2 Optimized WP plugin, which is marketed as:
A2 Optimized is designed to make it quick and easy to speed up and secure your website by installing and configuring several well known, stable optimizations with a few quick clicks. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/local file inclusion (LFI) vulnerability in the plugin Email Marketing Services Integration.
The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]
One of the changelog entries for the latest version of the WordPress plugin Paid Memberships Pro is:
…
On Friday we had a request on our website for a file from a WordPress plugin we don’t have installed, GatewayAPI:
/wp-content/plugins/gatewayapi/inc/security_two_factor.php [Read more]
One of the realities when it comes to security surrounding WordPress is that many companies market themselves as caring about security while not really caring about it. Sometimes they even join forces.
Yesterday we mentioned one security provider Patchstack, in the context of they and their Red Team not having a basic understanding of WordPress security. While looking more into Patchstack we found that last week they announced a partnership with 10Web. The claims made by 10Web in that announcement are in direct conflict with what we have seen from them in trying to work with them to fix a security vulnerability in one of their plugins, and what we have seen of Patchstack. We also found that at least one more of their plugins, with 300,000+ installs, also contains the same vulnerability we have tried to work with them to fix in one of their plugins. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/PHP object injection vulnerability in the plugin Blocksy Companion.
The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated option update vulnerability in the plugin INDIGITALL, which can also be exploited through cross-site request forgery (CSRF).
The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]
Recently one of our competitors in the WordPress plugin vulnerability space, WPScan, released a report claiming there was an authenticated stored cross-site scripting (XSS) vulnerability in the plugin Hana Flv Player. At first glance it appears like a lot of false reports they include in their data, but further checking showed that while the claimed vulnerability didn’t exist, there was really an even more serious vulnerability in the relevant code. As of our posting this, the plugin is still available in WordPress’ plugin directory despite that.
Their report of an “authenticated stored cross-site scripting (XSS) vulnerability” starts with this past tense claim: [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught one of the most serious issues, an arbitrary file upload vulnerability in the plugin Payment QR WooCommerce. That is a type of vulnerability that hackers are highly likely to exploit.
The possibility of this vulnerability was also flagged by our Plugin Security Checker and while reviewing this vulnerability we added an additional check that flags some of the insecure code that is in play here, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]