Vulnerability Report

7 Mar 2022

WordPress Plugin Targeted by Hacker Currently Contains Authenticated Settings Change Vulnerability

On Saturday we had what looked to be a hacker probing for usage of the WordPress plugin WPCargo, which has 10,000+ installs, on our website. While there is a vulnerability that was recently fixed that could explain a hacker targeting the plugin, we did a quick check over the plugin. We found the plugin is lacking basic security and contains multiple security vulnerabilities. The simplest to confirm and explain is an authenticated settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found addressed.

The plugin register the function update_import_option_ajax_request() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress: [Read more]

4 Mar 2022

Recently Closed WordPress Plugin with 60,000+ Installs Contains Authenticated Persistent XSS Vulnerability

Yesterday, the WordPress plugin Post Gird was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 60,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains an authenticated persistent cross-site scripting (XSS) vulnerability.

When creating or editing one of the plugin’s post grids, there is the option to include custom JavaScript code. If that were limited to users with the unfiltered_html capability, that wouldn’t be an issue, since they are intended to be able to add JavaScript code. But that post type is accessible to users without that capability, as it possible for any users that are able to create WordPress posts: [Read more]

3 Mar 2022

WordPress Plugin Take Pic Contains Arbitrary File Deletion Vulnerability

A negative review of the WordPress plugin Take Pic made this claim:

This plugin is full of malwares. WordPress should delete this plugin. immediately after installing this plugin my sites get infected. [Read more]

2 Mar 2022

WordPress Plugin Claimed to Contain “Critical 0-day Vulnerability” Contains at Least Authenticated Settings Change Vulnerability

On February 15, a topic was started on the wordpress.org support forum for the WordPres plugin Photonic with the title “Critical 0-day vulnerability in the Photonic Plugin v 2.75“. That was subsequently deleted by a moderator, but nothing was done with the plugin on WordPress’ plugin directory. It is still available for download and has not been updated. While we can’t say if the claim made in the title is true since the details of the claim are not available, we easily found that the plugin is lacking basic security and contains at least an authenticated settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found are addressed.

The plugin registers the function save_token_in_options() to be accessible by anyone logged in to WordPress: [Read more]

28 Feb 2022

Recently Closed WordPress Plugin with 50,000+ Installs Contains CSRF/Restricted File Upload Vulnerability

A week ago, the WordPress plugin Nimble Page Builder was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 50,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a cross-site request forgery (CSRF) vulnerability that can be used to upload some types of files.

In the file /inc/sektions/ccat-czr-sektions.php, the plugin makes the function sek_ajax_import_attachment() accessible to those logged in to WordPress: [Read more]

28 Feb 2022

Update to WordPress Plugin Mistape Appears to Add Malicious Backdoor

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught what looks to be an even more serious issue, what appears to be a malicious backdoor being added to the plugin Mistape, which has 3,000+ installs.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

25 Feb 2022

Our Security Review of WordPress Plugin Found Freemius Library Still Contained Vulnerabilities 3 Years After Major Security Incident

Three years ago, the Freemius library, which is a monetization library widely used in WordPress plugins, fixed a serious vulnerability only after a hacker had identified it and started exploiting it. The situation surrounding that was quite a mess. It would be reasonable to think that the developer of the library and the developer of the plugins, especially security plugins, using the library would have made sure to get the security of the library reviewed after that to address any other security issues, but that turns out not to be the case.

What makes that more striking is that the developer claimed after that went down that: [Read more]

22 Feb 2022

WordPress Plugin Targeted by Hacker Currently Contains Settings Change Vulnerability

Last week we had what looked to be a hacker probing for usage of the WordPress plugin Page View Count, which has 20,000+ installs, on our website. While there is a vulnerability that was recently fixed that could explain a hacker targeting the plugin, we did a quick check over the plugin. We found the plugin is lacking basic security and contains at least one vulnerability, a settings change vulnerability. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found addressed.

When the plugin is active, an instance of the class Admin_UI in the file /admin/admin-ui.php is initialized. That causes the __construct() function in the class to be run, which in turn causes the function update_google_map_api_key() in the file to be run: [Read more]

16 Feb 2022

WordPress Plugin With 100,000+ Installs Contains Post Duplication Vulnerability

On Monday we had what looked to be a hacker probing for usage of the WordPress plugin Email Subscribers, which has 100,000+ installs, on our website. There are several possible explanations for that. One involves a fairly misleading claim about a vulnerability being fixed in the plugin recently.

As part of assessing the situation, we started checking for the possibility that plugin currently contains a more serious vulnerability. What we found is that the plugin is that the plugin is lacking basic security checks in places and other code seems insecurely designed. We would recommend not using the plugin unless it has had a thorough security review done and all the issues found addressed. [Read more]

15 Feb 2022

Our Proactive Monitoring Caught a CSRF/Plugin Deactivation Vulnerability in Language Switcher

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, a cross-site request forgery (CSRF)/plugin deactivation vulnerability in the plugin Language Switcher.