Vulnerability Report

3 Jan 2022

Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in a WordPress Plugin Used by Our Customers

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now expanded that for our customers, by running plugins used by our customers, even when code in them is not updated, through the same system on a weekly basis. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in the plugin Elite Licenser Lite.

Based on what we saw with the code we reviewed as part of that vulnerability, there appear to be other security issues in the plugin. [Read more]

9 Dec 2021

Wordfence’s Odd Takeaways From a Situation Involving a Very Insecure Plugin

Yesterday the WordPress focused security company Wordfence disclosed a fixed vulnerability in the WordPress plugin RegistrationMagic. The vulnerability sounds concerning:

This flaw made it possible for unauthenticated attackers to login as any user, including administrative users, on an affected site as long as a valid username or email address was known to the attacker and a login form created with the plugin existed on the site. [Read more]

8 Dec 2021

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WP Leads Builder For Any CRM

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an authenticated option update vulnerability, in the plugin WP Leads Builder For Any CRM.

Through the same monitoring, we identified the same type of vulnerability in another of the developer’s plugins three weeks ago. We put out an advisory on the developer due to continued poor handling of security over five years ago. [Read more]

7 Dec 2021

Cross-Site Request Forgery (CRSF)/Settings Change Vulnerability in PublishPress Capabilities

Based on the level of insecurity we found while looking in to the details of a serious vulnerability being fixed in version 2.3.1 of the WordPress plugin PublishPress Capabilities, we started checking for other security issues and we quickly found another vulnerability. The plugin doesn’t check for a valid nonce when making changes on the plugin’s Admin Features page.

What makes that vulnerability more concerning is the vulnerable feature was only introduced inversion 2.3 of the plugin: [Read more]

6 Dec 2021

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability Being Introduced in to WP Image Refresh

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an arbitrary file upload vulnerability, being introduced in to the plugin WP Image Refresh.

There appear to be other security issues in the plugin. [Read more]

3 Dec 2021

Closed WordPress Plugin With 40,000+ Installs Contains CSRF/XSS Vulnerability

Yesterday, the WordPress plugin WP Extra File Types was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a cross-site request forgery (CSRF) vulnerability that can be used to change the plugin’s setting and add malicious JavaScript code to those, which is cross-site scripting (XSS).

The plugin registers a settings page for itself, which calls the function admin_page(): [Read more]

29 Nov 2021

Our Proactive Monitoring Caught an Authenticated Plugin Deactivation Vulnerability in Userplace

Recently we ran across a vulnerability that had just been fixed in a plugin that allowed deactivating arbitrary WordPress plugins. That is a big concern for firewall plugins, like the one we recently released, as an attacker could disable the plugin and then take actions they would otherwise be unable to take because of the firewall. Making it more of a concern, testing we did after finding that, showed that most security plugins didn’t protect against that. We have put in place protection for that in our firewall plugin, which will be released with the next version of our plugin, but based on past experience, other security plugins likely won’t address that.

After seeing that vulnerability, we updated our automated tools, including our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, to detect some instances of that. Because of that update to our proactive monitoring, we were alerted to an authenticated instance of that in the plugin Userplace. [Read more]

24 Nov 2021

Closed WordPress Plugin With 90,000+ Installs Contains Authenticated Arbitrary File Deletion Vulnerability

Today, the WordPress plugin Advanced Contact form 7 DB (Advanced CF7 DB) was closed on WordPress Plugin Directory. Because that being one of the 1,000 most popular plugins in that directory (it has 90,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our service about if they are using the plugin. What we found was that it contains a vulnerability that allows anyone logged in to WordPress can delete arbitrary files from the website.

We tested and confirmed that our new firewall plugin for WordPress protected against the proof of concept below, even before we discovered the vulnerability, as part of its protection against zero-day vulnerabilities. [Read more]

23 Nov 2021

Our Proactive Monitoring Caught an Authenticated PHP Object Injection Vulnerability Being Introduced in to WP Category Sort

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated PHP object injection vulnerability, being introduced in to the plugin WP Category Sort.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

18 Nov 2021

WordPress Plugin Closed Today With 40,000+ Installs Contains CSRF/Arbitrary Directory Deletion Vulnerability

Today, the WordPress plugin Child Theme Generator was closed on WordPress Plugin Directory. Due to that being one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should be warning customers of our service about if they are using the plugin. We found the plugin lacks protection against cross-site request forgery (CSRF), which could allow an attacker to cause a logged in Administrator to take action they didn’t intend. Among those is the ability to cause them to delete arbitrary directories on the server the website is on.

When the plugin’s admin page is accessed (which is limited to Administrators) the file /admin/class-child-theme-generator-admin.php is loaded and that in turn causes the function section_remove() in the file to run: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Vulnerability Report