We recently introduced a new feature where we do security reviews of plugins that are selected by our customers. The first review was of WangGuard. The most serious issue we found in that review is a reflected cross-site scripting (XSS) vulnerability.
In the file /wangguard-user-info.php the value of the GET input “userIP” is set as the value of the variable $userIP without any sanitization: [Read more]
Last week we did the first release of results from our security reviews of WordPress plugins selected by our customers. That actually involved the second the plugin we reviewed though, as we were waiting to hear back from the developer of the first plugin we reviewed, WangGuard, after notifying them of the security issues we found. It has now been two weeks without a response from the developer or fixes for the vulnerabilities (it looks like the plugin might not be supported anymore), so we will disclose the results now. One of the issues found is something that will usually cause a plugin to be removed the Plugin Directory, so the plugin will likely be removed from that shortly.
If you are not yet a customer of the service you can currently try it free for your first month and then start suggesting and voting on plugins to get security reviews after your first payment for the service. For those already using the service that haven’t already suggested and voted for plugins you can start doing that here. [Read more]