Vulnerability Report

17 Jun 2021

Vulnerable WordPress Plugin Leads to Another Vulnerable WordPress Plugin

Earlier today we posted about a brand new WordPress plugin that has a security vulnerability that hackers would be likely to exploit. Part of the story there is that security reviews of new WordPress plugins are not happening or they are missing things they shouldn’t. Another piece of the story looks to be that the plugin is largely copied from another plugin and inherited the security vulnerability from that one.

While we were processing the vulnerability in that other plugin, we added a new check to our Plugin Security Checker tool to flag other instances of code similarly insecure to part of the issue with that plugin. While doing that, we checked to see if there might be other plugins in the WordPress Plugin Directory that had code similar to that using the search capability of the WP Directory. What we found was that there was another plugin that had a nearly identical line code to relevant line in the new plugin. Looking further at that second plugin, Wallet One Payment Gateway for WooCommerce, it became clear that the reason the code is nearly identical is that new plugin is using large chucks of code that exist in that plugin. The new plugin might not be copied directly from the plugin, as there could be additional plugins in the chain. [Read more]

17 Jun 2021

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability in Another Brand New WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That has led to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, WooCommerce Geidea Payment Gateway, and should have been something that the review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]

16 Jun 2021

Security Audit of WordPress Plugin Apparently Missed Easy to Detect Vulnerability

The plugin Sunshine Photo Cart was closed on the WordPress Plugin Directory yesterday. We don’t know why that was, but our systems notified us of possible security related changes made after that. Those are described in the latest changes made to the plugin as “Security audit changes”. In that type of situation we usually run the previous version of the plugin through our Plugin Security Checker to see if it flagged any possible insecure code that was then fixed. When we did that, we found that possibly insecure code it flagged wasn’t fixed in the new version. Further checking confirmed there was and still is a vulnerability, despite there apparently a security audit having been done.

That code has gone unnoticed in the plugin for nearly six years, which is yet another good reason to check the plugins you use with our tool. [Read more]

16 Jun 2021

Our Proactive Monitoring Caught an Arbitrary File Viewing Vulnerability Being Introduced in to a WordPress Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That has led to us catching a vulnerability of a type that hackers are likely to exploit if they know about it being introduced in to a plugin. That vulnerability being an arbitrary file viewing vulnerability, which hackers frequently try to exploit to gain access to the database credentials for WordPress websites, in the plugin Law Practice Management Software.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool also flags many other instances of insecure code in the plugin, which is rather concerning as the plugin is intended to be used by lawyers. [Read more]

15 Jun 2021

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability in a Brand New WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That has led to us catching a vulnerability of a type that hackers are likely to exploit if they know about it.

This vulnerability is in a brand new plugin, Wireless Butler, and should have been something that the review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]

14 Jun 2021

WordPress Plugin Directory Team Failing To Detect Easy to Spot Vulnerabilities

Last week we mentioned that we had found a couple of vulnerable WordPress plugins when we ran the ones also available in WordPress fork ClassicPress’ plugin directory through our Plugin Security Checker. One of those was promptly fixed after we notified the developer of the issue. With the other AlertMe!, we haven’t even got a response from the developer in over a week, so in line with our reasonable disclosure policy, we are disclosing the vulnerability.

Like the other vulnerability, this has existed in the plugin since the first version, despite being easy to detect. The WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of this type of issue. We have repeatedly offered to help them implement this type of thing, but, like other attempts to help them improve their poor handling of security, they have shown no interest. [Read more]

11 Jun 2021

WooCommerce Multivendor Membership WordPress Plugin Contains Persistent XSS Vulnerability

Two days ago we discussed that after seeing what look to be a hacker probing for the WordPress plugin WooCommerce Frontend Manager (WCFM), we found that the plugin contained, among other security issues, an authenticated persistent cross-site scripting (XSS) vulnerability. That is more a of concern than it usually is since the plugin works with WooCommerce, which by default allows untrusted to create WordPress accounts, so hackers would have an easier time exploiting that than they would for the average plugin. In looking at the developer’s other plugins we found that one of them, WooCommerce Multivendor Membership, is even more insecure, as the same type of vulnerability can be exploited without having to even be logged in to WordPress.

(Despite WooCommerce Frontend Manager (WCFM) likely being targeted by a hacker and containing an unfixed vulnerability they would exploit, WordPress is still distributing the plugin two days later.) [Read more]

10 Jun 2021

Recently Closed WordPress Plugin with 30,000+ Installs Contains Persistent XSS Vulnerability

The plugin SEO Redirection was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should warn users of the plugin that also use our service, we found it contained multiple security issues, what looked to be the most serious issue that we found in just a quick check is a persistent cross-site scripting (XSS) vulnerability. That is something that hackers might be interested in exploiting.

We would recommend not using the plugin until it has had its security thoroughly reviewed, and the issues identified, fixed, due to how insecure we found it to be. [Read more]

9 Jun 2021

A Hacker Looks to be Probing for WooCommerce Frontend Manager (WCFM), This Vulnerability Could be Their Target

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website today for the plugin WooCommerce Frontend Manager (WCFM) by requesting this file:

/wp-content/plugins/wc-frontend-manager/readme.txt

We are not aware of any publicly disclosed vulnerabilities that might explain this. In doing our standard checks when we see what looks to be a hacker probing for usage of a plugin, we found that low-level users have access to AJAX functions only intended for users managing the website. That is a more significant issue than with the average plugin, since the plugin is designed to work with WooCommerce plugins by default, WordPress websites running WooCommerce allow untrusted individuals to create WordPress accounts. [Read more]

8 Jun 2021

Unnecessary WordPress Security Plugin With 40,000+ Installs Contains Vulnerability Due to Poor Security

It doesn’t seem like it is too much to expect that a WordPress security plugin would not make your website less secure. But that is exactly what the plugin Easy Hide Login, which has 40,000+ active installations according to wordpress.org, does. The plugin “hides” WordPress’ login page, which isn’t something that you actually need to security wise. Since this isn’t something that you need to do, it really shouldn’t be surprising that someone developing such a plugin wouldn’t have a great understanding of security and that is the case with this plugin (and others in the past, as well).

We came across this plugin while looking for code relevant to an improvement to our Plugin Security Checker tool’s ability to detect issues with SQL injection, which is insecure code related to making queries of a database. The plugin’s code that came across while doing that doesn’t really make sense, as the plugin escapes its setting using esc_sql(), which is for escaping a value being used in a SQL statement: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Vulnerability Report