Login

Tag Archives: Vulnerability Report

11 Nov 2022

Cross-Site Request Forgery (CSRF)/Plugin Deactivation Vulnerability in 10Web Booster

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, a cross-site request forgery (CSRF)/plugin deactivation vulnerability in 10Web Booster.

We now are also running all the plugins used by our customers through that on a weekly basis to provide additional protection for them. [Read more]

10 Nov 2022

Authenticated Settings Reset Vulnerability in WooCommerce Fraud Prevention Plugin

As detailed in a separate post, we took a look at the WordPress plugin WooCommerce Fraud Prevention Plugin after seeing it mentioned in a news story. We found it is insecure and that the security leads to at least one vulnerability, as anyone logged in to WordPress can reset the plugins settings.

The plugin registers the function wcblu_reset_settings() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress: [Read more]

4 Nov 2022

Privilege Escalation Vulnerability in Video Thumbnails WordPress Plugin

Earlier this week the WordPress plugin Video Thumbnails was closed on the WordPress Plugin Directory. As that plugin is one of the 1,000 most popular plugins, we were alerted to its closure. No reason has been given for the closure. But there are multiple minor security vulnerabilities in the latest version.

As one example of those vulnerabilities, the functionality for “resetting a video thumbnail” is accessible to anyone logged in to WordPress, instead of only to someone is who is editing the relevant post related to a video thumbnail. [Read more]

1 Nov 2022

Authenticated Information Disclosure Vulnerability in Co-Authors Plus

As detailed in a separate post, earlier this year it was disclosed the WordPress plugin Co-Authors Plus had contained a vulnerability that disclosed email addresses through a REST API route. That is still possible through another REST API route.

In the file /php/class-coauthors-endpoint.php, a REST API route to search for coauthors is registered: [Read more]

31 Oct 2022

Authenticated Settings Change Vulnerability in WP Page Widget

Last week the WordPress plugin WP Page Widget was closed on the WordPress Plugin Directory. As that plugin is one of the 1,000 most popular plugins, we were alerted to its closure. No reason has been given for the closure. But there is a security issue in the latest version.

About a month ago a competitor of ours, Patchstack, claimed a cross-site request forgery (CSRF) vulnerability had been fixed in the latest version of the plugin. They didn’t provide basic information needed to confirm the claim, as the “details” given are: [Read more]

17 Oct 2022

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Responsive Lightbox & Gallery

Over the weekend, a forum topic was created for the WordPress plugin Responsive Lightbox & Gallery about Wordfence claiming there was a vulnerability in the plugin:

Hi, I have just received a critical error in my wordfence dashboard that
‘The Plugin “Responsive Lightbox” has a security vulnerability … To protect your site from this vulnerability, the safest option is to deactivate and completely remove “Responsive Lightbox” until a patched version is available
Issue Found October 13, 2022 08:54’
Do you have a patch for this error, as the site is now vulnerable, and as I do like this plugin I do not want to remove it. [Read more]

17 Oct 2022

Privilege Escalation Vulnerability in BulletProof Security

After seeing possible hacker probing for the WordPress plugin BulletProof Security last week, we checked over it for any easy to spot serious vulnerabilities that a hacker might be interested in exploiting. We didn’t find any of those, but we did run across several places where the plugin is not properly secured. Among those, it permits low-level WordPress users to access to some of its MScan malware scanner functionality. That could be abused to cause the website to use a lot of server resources.

Like the rest of the plugin’s admin pages, the admin page for MScan is restricted to users with the manage_options capability, so normally only Administrators: [Read more]

5 Oct 2022

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability in Create Block Theme

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an arbitrary file upload vulnerability being added to the plugin Create Block Theme.

We now are also running all the plugins used by our customers through that on a weekly basis to provide additional protection for them. [Read more]

9 Aug 2022

WooCommerce Extending Plugin With 100,000+ Installs Contains Authenticated Option Update Vulnerability Possibly Targeted by Hacker

Early today a topic on the support forum for the WordPress plugin WOOF, which extends WooCommerce and has 100,000+ active installations, suggesting that a security issue in might be being exploited. The poster wrote this:

Can you elaborate on what you did here for the fix? We noticed a lot of client’s had products from like other sites that were not related. Curious to know what happened if anything on your end. [Read more]

3 Aug 2022

is_admin() Again Leads to WordPress Plugin Containing Vulnerability That Hackers Would Exploit

A recent review of the WordPress plugin Pop-up suggested the plugin is insecure:

I tested this plugin, its says its free, i tried to inject code to my site… then i understood if they want they can inject any malicious code to your website by using this plugin… you are clicking launch code on external website, and this plugin will upload a a code to your website based on email address registered on both site. so if you are using sensitive website dont even try this plugin [Read more]