Vulnerability Report

24 Jan 2022

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a one of those vulnerabilities, a PHP object injection vulnerability being introduced in to the plugin ICS Calendar.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

20 Jan 2022

Wordfence Fails to Warn of Easy to Spot Vulnerabilities in WP HTML Mail

A couple of frequent issues we see with the WordPress security company Wordfence involve them belatedly telling people to update individual plugins instead of just telling people to keep plugins up to date at all times (which they admit would lessen the need for what they are selling) and failing to warn people that plugins still contain easy to spot vulnerabilities. Both of those are true with the plugin WP HTML Mail.

Yesterday, they told people to update the plugin because of a cross-site scripting (XSS) vulnerability that had already been fixed. But while reviewing that, we found the plugin still contains an easy to spot XSS vulnerability and the same code allows anyone logged in to WordPress to send unlimited emails to arbitrary email addresses from the website. [Read more]

14 Jan 2022

WordPress Plugin Post Snippets Contains CSRF/Cross-Site Scripting (XSS) Vulnerability

A week ago, one of the moderators of the WordPress support forum deleted a topic titled “[Post Snippets] v3.1.3 – Stored Cross-Site Scripting (XSS) vulnerability“. The moderator’s message in deleting that said “Please report vulnerabilities responsibly.” If there was a really a vulnerability being reported, the moderator didn’t make sure it was addressed, as the plugin hasn’t been updated in the past week.

After we got alerted about the deletion message, we looked at the plugin and found that it does at least contain a cross-site scripting (XSS) vulnerability that can be exploited through cross-site request forgery (CSRF). [Read more]

13 Jan 2022

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in a Brand New WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in the brand new plugin Vossle.

The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]

12 Jan 2022

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in a WordPress Plugin with 40,000+ Installs

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability, in the plugin Stop Generating Unnecessary Thumbnails, which has 40,000+ installs.

We now are also running all the plugins used by customers through that on a weekly basis, to provide additional protection for our customers. [Read more]

11 Jan 2022

WordPress Plugin Directory Team Fails to Flag Base64 Encoded Code That Creates Backdoor Account

In 2017 there was a very bad situation where the two people running the WordPress Plugin Directory allowed a plugin containing malicious code to return in to the directory twice, only to have malicious code added again each time. Somehow that situation didn’t lead to a shakeup of the team running that, to address the two problematic people who have long controlled that.

In the third instance, part of the code was obfuscated using bae64 encoding. In the comments on a post on the WP Tavern about the situation, there were a couple of comments noting that should have flagged that code: [Read more]

10 Jan 2022

WordPress Plugin Probed for by Hacker Contains Vulnerability That Allows Creation of Spam Posts

Last week we had what looked to be a hacker probing for usage of the WordPress plugin Perfect Brands for WooCommerce on our website through this request:

/wp-content/plugins/perfect-woocommerce-brands/readme.txt [Read more]

7 Jan 2022

Our Plugin Security Checker Identified an Authenticated Option Update Vulnerability in a WordPress Plugin with 20,000+ Installs

One of the tools we have developed to help keep websites secure from vulnerabilities in WordPress plugins is our Plugin Security Checker, which identifies the possibility of some instances of vulnerabilities in plugins. One way we work to improve the quality of the results produced by that is doing occasional checks of results of plugins people are running through that. Through that we confirmed that the plugin Material Design for Contact Form 7, which has 20,000+ installs, contains a fairly serious type of vulnerability, an authenticated option update vulnerability. Though the specifics limit the ability for it to be abused in a non-targeted attack.

The tool identified the following code as possibly vulnerable: [Read more]

6 Jan 2022

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Saksh Escrow System

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, a PHP object injection vulnerability, in the plugin Saksh Escrow System.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

4 Jan 2022

Misuse of WordPress REST API Permission Callback Leads to Privilege Escalation Vulnerability in OMGF

Last week someone posted on the support forum for the WordPress plugin OMGF on the support forum for the plugin on wordpress.org about a claimed security vulnerability in the plugin. A moderator deleted that posting. The plugin hasn’t been updated, so either there wasn’t a vulnerability or the moderator hasn’t made sure it was addressed. So deleting the topic seems problematic.

After being notified of the message about deleting that topic, we checked over the plugin for obvious security issues and we found that the plugin does contain a vulnerability. The vulnerability would allow anyone logged in to WordPress to utilize the plugin’s capability to download fonts. It looks like that could be abused to fill up all the disk space available to the website, by downloading many copies of a font and having them saved in directories with different names. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Vulnerability Report