Login

Tag Archives: Vulnerability Report

6 May 2022

WordPress Plugin Page Builder Addons for WPBakery Contains Authenticated Arbitrary File Upload Vulnerability

At the end of March we noticed what looked to be a hacker probing for usage of the plugin Pie Register and found that it contained a vulnerability that hackers would be interested in exploiting, an authenticated arbitrary file upload vulnerability because of insecure code for allowing the installation of WordPress plugins. It also contained several other vulnerabilities.

While working on improvements to our detection system and our firewall plugin related to that type of vulnerability, we found that over a month after that, the developer still hasn’t even attempted to address the vulnerabilities in another of their plugins, Page Builder Addons for WPBakery. [Read more]

29 Apr 2022

WordPress Passwords Manager Plugin Exposes Stored Password to Anyone Logged in to WordPress

There is a WordPress plugin named Passwords Manager that can store passwords in WordPress:

Password Manager wordpress plugin let you to store different passwords at one place. Passwords are stored in WordPress database in encrypted form so no one can see them. Passwords can also be categorized if you have multiple passwords. This plugin uses advanced encryption standard AES – 128 and you can define your encryption key at the time of installation of plugin. [Read more]

28 Apr 2022

WordPress Security Plugin WordPress HTTPS Contains Authenticated Persistent XSS Vulnerability

Yesterday we ran across a vague claim that the WordPress security plugin WordPress HTTPS, which has 50,000+ installs, might have a security vulnerability that is involved in hacks of website. The source isn’t a reliable one (despite being the developer of a popular security plugin) and they didn’t provide any information to back that up. In checking over the plugin, we quickly found a reasonably serious vulnerability, though one that seems unlikely to be connected with the hacking claim being made.

We tested and confirmed that our firewall plugin for WordPress protected against the vulnerability even before we discovered it, as part of its protection against zero-day vulnerabilities. [Read more]

26 Apr 2022

Authenticated Setting Change Vulnerability in WordPress Plugin Melhor Envio

As part of our monitoring the WordPress Support Forum for indications of vulnerabilities in plugins that we should be warning our customers about, we came across this review of the plugin Melhor Envio:

O plugin da melhor envio está com o trojan denominado JS:Trojan.Cryxos faz quase um mês, e mesmo eu entrando em contato com o suporte e tendo provado isso por diversas vezes, o plugin continua disponível para download com o Trojan. Meu site foi retirado do ar cinco vezes pela wordpress.com e chegou a ter 645 arquivos contaminados por esse malware. [Read more]

22 Apr 2022

1+ Million Install WordPress Plugin From Security Plugin Developer WPMU DEV is Lacking Basic Security

Yesterday a new version of the WordPress plugin Smush, which has 1+ milllion active installs according to wordpress.org, with a changelog entry indicating that security fix was being made:

Fix: XSS vulnerability [Read more]

21 Apr 2022

Authenticated Post Deletion Vulnerability in Toolset Types WordPress Plugin

As part of our recent focus on providing better information to customers of our main service about the security of plugins they use, we extended monitoring we already did on the closure of the most popular WordPress plugins on WordPress’ plugin directory to those being used by our customers. We monitor those closures because they are often caused by security vulnerabilities, sometimes very serious vulnerabilities. That monitoring notified us yesterday that a customer used plugin Toolset Types has been closed. According to the message on the plugin’s page, it was closed in 2019, so this must be a new customer or a website newly using the plugin:

This plugin has been closed as of April 4, 2019 and is not available for download. This closure is permanent. Reason: Author Request. [Read more]

19 Apr 2022

Recently Closed WordPress Plugin with 40,000+ Installs Contains Privilege Escalation Vulnerability

On Monday, the WordPress plugin WP SVG Icons was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.

The plugin registers the function svg_delete_custom_pack_ajax() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]

15 Apr 2022

Brand New WordPress File Manager Plugin Allows Anyone to View and Upload Arbitrary Files

Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:

After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]

13 Apr 2022

Recently Closed WordPress Plugin with 50,000+ Installs Contains Authenticated Persistent XSS Vulnerability

On Monday, the WordPress plugin Slideshow was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 50,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains an authenticated persistent cross-site scripting (XSS) vulnerability.

When creating or editing one of the plugin’s slideshows, there are text inputs in the Slideshows Settings for which there isn’t proper sanitization, validation, and or escaping. Malicious JavaScript can be saved in to at least some of those and then it will be output, which is authenticated persistent XSS vulnerability.  If that were limited to users with the unfiltered_html capability, that wouldn’t be a vulnerability (but would still be a security issue), but by default the plugin allows users with the Author role access to that and they don’t have that capability. [Read more]

12 Apr 2022

5+ Million Install WordPress Plugin Elementor Contains Authenticated Remote Code Execution (RCE) Vulnerability

Late last week, third-party data we monitor showed what was possibly a hacker probing for usage of a WordPress plugin Elementor, which has 5+ million active installs according to WordPress, by the requesting this file:

/wp-content/plugins/elementor/readme.txt [Read more]