17 Jun 2019

Vulnerability Details: Authenticated Settings Change in WebP Express

Back in December we discovered an arbitrary file viewing vulnerability in the plugin WebP Express. That was finally fixed in the past few days after we once again pointed out to the people making a mess of the Plugin Directory and WordPress Support Forum that they had left a plugin they knew was vulnerable and that was being targeted by hackers in the Plugin Directory. In looking at some of the additional changes made in the new version of the plugin we noticed that while it looks like directory team required some other security changes they missed making sure basic security checks were included. Considering the previous vulnerability, it wasn’t surprising that we noticed another pretty big vulnerability had been in the plugin, which was fixed enough to stop exploitation, but not enough to properly secure it.


[Read more]

12 Dec 2018

WordPress Team Stops Warning To Developer of Vulnerability in Plugin While Probing For Usage of the Plugin Has Already Begun

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up and only trying to notify the developer through the WordPress Support Forum. That creates more of a problem if the vulnerabilities are likely to be exploited, like the arbitrary file viewing vulnerability we disclosed yesterday in the plugin WebP Express is. Thankfully with that type of vulnerability it usually doesn’t lead to websites being hacked. You would think that someone on the WordPress side of things might step in to make sure the moderators behavior is cleaned up so that these full disclosures can end, or barring that, make sure to keep on top of these disclosures to avoid those causing major issues. That doesn’t appear to be the case.

While our message to the developer on the Support Forum to let them know of the issue right after we disclosed it was blocked from being shown to them, that not at all surprisingly, unless you are the WordPress team, hasn’t stopped hackers from becoming aware of it already. Earlier today we had a couple of requests that look to be probing for usage of the plugin by way of a request for a CSS file from it, /wp-content/plugins/webp-express/lib/options/css/webp-express-options-page.css. Those came from IP addresses in China that appear to belong to Alibaba. [Read more]

11 Dec 2018

A New Addition to Our Proactive Monitoring Caught an Arbitrary File Viewing Vulnerability in a WordPress Plugin in Less Than a Day

Earlier today we noted in detailing an arbitrary file viewing vulnerability that had been fixed in a WordPress plugin that in looking at the code from that we made improvement to our detection of that type of vulnerability in our proactive monitoring of changes being made to  plugins to try to catch serious vulnerabilities when they are introduced in to plugin and our Plugin Security Checker. It didn’t even take a day before that improvement allowed us to spot an arbitrary file viewing vulnerability in the plugin WebP Express through that proactive monitoring. That type of vulnerability is likely to be exploited, though usually doesn’t cause website to be hacked.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]