Yesterday we had what appeared to be a hacker probing for usage of the Make’s (formerly Integromat) WordPress plugin on our website with the following request:
/wp-content/plugins/integromat-connector/assets/iwc.js [Read more]
The security of plugins that extend the WordPress ecommerce plugin WooCommerce is often poor, something that the developer of WooCommerce, Automattic, hasn’t taken an interest in addressing. Another part of Automattic claims to provide some protection against that, but isn’t delivering that. Automattic’s WPScan is promoted with this claim:
Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes. [Read more]
As detailed in more detail in a security advisory we have released for the developer of the plugin Jupiter X Core, recently the developer left 90,000+ websites open to being hacked for two weeks, after the WordPress security company Wordfence disclosed an easily exploited vulnerability in the plugin where there wasn’t a fix available (while claiming to have done responsible disclosure). Once the new version of the plugin that addressed that was released, we could check over the current state of the plugin. What we found was that Wordfence hadn’t warned people that the plugin still contains many vulnerabilities.
Wordfence explained how to exploit the vulnerability this way: [Read more]
On Monday we had what appeared to be a hacker probing for usage of the Openpay Payment Gateway plugin (not to be confused with BBVA’s Openpay plugins) for WooCommerce with the following request:
/wp-content/plugins/opy-paymentplugin-woocommerce/README.md [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Late last year we expanded on that for our customers, by running plugins used by our customers, even when code in them is not updated, through the same system on a weekly basis. We just made a significant improvement to the automated portion of that monitoring. Through that, we caught a less serious variant of one of those vulnerabilities, a cross-site request forgery (CSRF)/PHP object injection vulnerability in Ninja Forms. Which, besides being used by at least one of our customers, is used on 1+ million websites according to wordpress.org’s stats.
That Ninja Forms has yet another vulnerability isn’t surprising considering the developer’s security track record, which includes disclosing a fairly serious unfixed vulnerability last year (doing that alongside Wordfence) and still not having addressed an incorrect security fix, which we notified them about in January. [Read more]
Yesterday the JVN released a vague report claiming that a cross-site scripting (XSS) vulnerability had been fixed in version 13.2.0 of the WordPress plugin WP Statistics. There isn’t enough information provided to confirm that there was a vulnerability or that it was fixed.
Confusingly, one of our competitors, Automattic’s WPScan, is citing that report as the source for a claim that a vulnerability was fixed in version 13.2.2 of the plugin: [Read more]
Yesterday, the WordPress plugin Shapely Companion was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.
The plugin registers the function shapely_companion_import_content() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]
Last week the there was what looked to be a hacker probing for usage of the WordPress plugin Contempo Real Estate Custom Posts in third-party data we monitor, by requesting this file:
/wp-content/plugins/contempo-real-estate-custom-posts/readme.txt [Read more]
Earlier this week Wordfence got press coverage for a situation where they were obliquely admitting they were way behind hackers. As they were claiming to have started seeing attacks against a vulnerability in a WordPress plugin on May 10, while publicly available data from the website abuseipdb.com was showing attacks at the end of March. On Monday data we monitor from that website showed that what looked to be a hacker probing for usage of the WordPress plugin WP ERP by requesting this file from it:
/wp-content/plugins/erp/readme.txt [Read more]
Recently, the WordPress security plugin Change wp-admin login, which has 70,000+ active installs according to WordPress, was updated to fix security vulnerabilities involving the changing of the plugin’s settings. That a security plugin was insecure seems concerning. More concerning was that the developer made two failed attempts to fix the vulnerability before finally addressing it. While looking into the situation, we found yet another concern; the developer isn’t telling honest.
Two weeks ago, a review of the plugin was made with this claim: [Read more]