Vulnerability Report

24 Feb 2020

Hackers May Already Be Targeting This Authenticated Persistent XSS Vulnerability in PW WooCommerce Bulk Edit

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website several days ago for the plugin PW WooCommerce Bulk Edit by requesting these files:

/wp-content/plugins/pw-bulk-edit/readme.txt
/wp-content/plugins/pw-bulk-edit/assets/js/results.js
/wp-content/plugins/pw-bulk-edit/license.txt

In a quick check over the plugin we found that it contains multiple security issues. The most likely obvious security issue that hackers would be interested on targeting based on what we saw is that anyone logged in to WordPress can change the name of a WooCommerce product to include malicious JavaScript code, which is an authenticated persistent cross-site scripting (XSS) vulnerability (through the same functionality the price and other product attributes can be changed as well). Since the plugin extends WooCommerce and WooCommerce by default allows the public access to WordPress accounts, the access needed to exploit this would usually be easily accessible. [Read more]

7 Nov 2019

Our Proactive Monitoring Caught an CSRF/Arbitrary File Deletion Vulnerability in a WordPress Plugin with 70,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/arbitrary file deletion vulnerability in the plugin Backup Guard, which has 70,000+ installs. Despite being that popular, it doesn’t look like the security of the code has been well reviewed as the code that causes that lacks two basic security components. There are look to be additional security issues related to that insecurity, so we wouldn’t recommend using the plugin unless a thorough security review (like we do as part of our service and as a separate service) is done.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool flags the possibility of other issues in this plugin as well. [Read more]

4 Nov 2019

Recently Closed WordPress Plugin with 70,000+ Installs Contains Authenticated Persistent XSS Vulnerability

The plugin Easy Columns was closed on the WordPress Plugin Directory on Sunday of last week. That is one of the 1,000 most popular plugins with 70,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains an authenticated persistent cross-site scripting (XSS) after looking at results that our Plugin Security Checker produced for the plugin.

An example of that issue involves the plugin’s ezcol_1quarter shortcode, which calls the function one_quarter(): [Read more]

1 Nov 2019

Recently Closed WordPress Plugin with 80,000+ Installs Contains CSRF Vulnerability

The plugin Snazzy Maps was closed on the WordPress Plugin Directory on Wednesday. That is one of the 1,000 most popular plugins with 80,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a cross-site request forgery (CSRF) vulnerability.

The plugin makes its admin page accessible to those with the “manage_options” capability, so Administrators: [Read more]

1 Nov 2019

Authenticated Remote Code Execution (RCE) Vulnerability Exists in WordPress Plugin Being Targeted By Hacker

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. Recently that has started up again, with the plugin MobiLoud News being one of the new plugins. There was probing on our website two days for that plugin by requesting these files:

/wp-content/plugins/mobiloud-mobile-app-plugin/description.txt
/wp-content/plugins/mobiloud-mobile-app-plugin/readme.txt

In beginning to check over the plugin figure out what a hacker would be interested in exploiting we found multiple vulnerabilities. What might be the most serious is an authenticated remote code execution (RCE) vulnerability that would allow an attacker to run arbitrary PHP code on the website. It could also be exploited through cross-site request forgery (CSRF). [Read more]

24 Oct 2019

Hackers May Already be Targeting this Authenticated Persistent XSS Vulnerability in a WordPress Plugin with 200,000+ Installs

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. It looks like that has started up again, with the plugin Astra Starter Sites being one of the new plugins. There was probing on our website yesterday for that plugin by requesting these files:

/wp-content/plugins/astra-sites/inc/assets/js/admin-page.js
/wp-content/plugins/astra-sites/inc/assets/css/admin.css
/wp-content/plugins/astra-sites/readme.txt

That plugin has 200,000+ installs according to wordpress.org, so you might imagine that it at least had a cursory security review by now, but it doesn’t appear to be the case because we found numerous security issue that would have been flagged by the type of security review of WordPress plugins we do just in our limited checking to figure out what a hacker would be interested in exploiting. Considering that persistent cross-site scripting (XSS) vulnerability have existed in multiple of the others plugin being targeted we were most focused on seeing if has that type of vulnerability and we found it contains an authenticated variant of that. While that requires someone to have access to a WordPress account, which limits it exploitability, with 200,000+ installs that would be something that hackers have previously shown an interest in exploiting. [Read more]

23 Oct 2019

Hackers May Already be Targeting this Persistent XSS Vulnerability in PushEngage

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. It looks like that has started up again, with the plugin PushEngage being one of the new plugins. There was probing on our website today for that plugin by requesting these files:

/wp-content/plugins/astra-sites/inc/assets/js/admin-page.js
/wp-content/plugins/astra-sites/inc/assets/css/admin.css
/wp-content/plugins/astra-sites/readme.txt [Read more]

14 Oct 2019

WordPress Plugin Copies Security Vulnerabilities From Another Plugin

When it comes to insecure code in WordPress plugins, beyond insecure code written by the developers, we often find that the developers have included code created by others without reviewing its security first (that even has been the case with popular security plugins). Recently multiple security issues were fixed in the plugin Sliced Invoices, while looking into that we found that plugin Tradies has copied a significant amount of code from that plugin and still contains those vulnerabilities, so significant that if you try to activate Tradies with Sliced Invoices already activated (or vice versa) it won’t work because a class name is reused. While that is permitted by the GPL, there isn’t a copyright statement indicating the source of the code (which isn’t the first time we have seen that done with copied code).

As an example of the insecure code copied, let’s take a look at the code to handle exporting the plugin’s quotes and invoices. [Read more]

7 Oct 2019

What Security Review? Brand New WordPress Plugin Contains Authenticated Arbitrary File Upload Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the brand new plugin Word Of The Day, which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it possibly contained an arbitrary file upload vulnerability, which is a type of vulnerability likely to be exploited. In reviewing this we found that it does contain authenticated variant of that, which can also be exploited through cross-site request forgery (CSRF).

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have also long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. [Read more]

27 Sep 2019

Our Proactive Monitoring Caught an Authenticated Persistent XSS Vulnerability in Request a Quote

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin Request a Quote. That is a type of vulnerability appears to have been a type that hackers have been looking for undisclosed vulnerabilities to exploit recently, so finding it before them is a very good thing. The vulnerability is identical to the vulnerability we found in another plugin by the same developer through this same monitoring last week.

The vulnerability is due to multiple security failures, as if often the case. The plugin registers the function emd_insert_new_shc() to be accessible by those logged in to WordPress: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Vulnerability Report