Late last week, third-party data we monitor showed what looked to be a hacker probing for usage of a WordPress plugin that handles payment processing for the WooCommerce plugin, ЮKassa для WooCommerce, through requests for this file:
/wp-content/plugins/yookassa/assets/js/yookassa-admin.js [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, an authenticated PHP object injection vulnerability in the plugin Blog2Social, which has 70,000+ active installs according to wordpress.org.
We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]
Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:
After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]
The WordPress plugin Pie Register has had many vulnerabilities discovered in over the years, including multiple serious vulnerabilities that you would expect hackers to try to exploit. Despite that, WordPress states it has 5,000 active installs, so continued insecurity doesn’t appear to discourage people from using a plugin (though thankfully, none of the customers of our main service are currently using the plugin).
Over the weekend, we had what look to be a hacker probing for usage of the plugin on this website with a request for the following file: [Read more]
The most recent version of the WordPress plugin Product Table for WooCommerce had a very important security fix, though you wouldn’t know that by looking at the changelog for that version, as there isn’t one. Those relying on a couple of our competitors, WPScan and Patchstack, wouldn’t have a full understanding of that either, as they somehow managed to miss the full scope of a vulnerability being addressed.
Based on what we saw while reviewing the change being made, there was reason to believe there could be additional security issues in the plugin. We have confirmed that is the case and we would recommend not using the plugin, unless it has thorough security review and all issues are addressed. [Read more]
One of the indications that something is very wrong with the security industry is how insecure the software and hardware of companies in it is. The latest example of that we ran across involves a company named SecurityScorecard, which we had not heard of before.
Yesterday they introduced a WordPress plugin SecurityScorecard Seal of Trust Badge, which appeared on our radar due to monitoring we do to keep track of security issues in WordPress plugins. That plugin is described as: [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, an authenticated option update vulnerability in the plugins Stop Generating Unnecessary Thumbnails, which has 40,000+ installs, and CoDesigner, which has 20,000+ installs. Those plugins are from the same developer, so other plugins from them might be affected as well. This is also the second time our proactive monitoring has identified fairly serious vulnerabilities in the plugins (the previous instances involved separate vulenrabilities).
We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, an authenticated option deletion vulnerability in the plugin FastDev.
We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]
Earlier today a topic was created on the WordPress support forum for the plugin Accept Stripe Payments questioning whether there was a security hole in the plugin:
We’ve had hundreds of small fake charges to random people made by our Stripe account. I even got some calls from random people asking why we charged them! This is due to some fraudsters using our Stripe API key for card testing (testing whether a stolen card is valid). [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, an authenticated PHP object injection vulnerability being introduced in to the plugin Contact.
We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]