Login

Tag Archives: WooCommerce Product Feed

23 Jul 2019

Vulnerabilty Details: Reflected Cross-Site Scripting (XSS) in WooCommerce Product Feed

Today a new CVE entry was added, CVE-2019-1010124, for the plugin WooCommerce Product Feed. The entry seems a bit odd as one of the links doesn’t work and the other is for a YouTube from just over a year ago. It also indicates that version “2.2.18 and earlier is affected by” the vulnerability. In line with the age of the video that is a rather out of date version of the plugin. Looking at the YouTube video it looked like what might be at issue is a reflected cross-site scripting (XSS) vulnerability and upon testing that out we found the plugin is still vulnerable.

[Read more]

19 Nov 2018

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in a WordPress Plugin with 10,000+ Install

In the wake of widespread exploitation of an option update vulnerability in the WordPress plugin WP GDPR Compliance the difference in our response to others in the WordPress security community has been a reminder that unfortunately we are largely alone in trying to actually make WordPress websites more secure against security issues in WordPress plugins.

For example, Defiant the company behind the Wordfence Security plugin, which had failed to protect even those using their paid service, Wordfence Premium, decided to respond to that by lying and claiming those using it were “covered”. You also have the team that handles the security of plugins on the WordPress side of things seem to have had no interest in considering that they are not properly handling when to force out updates, which could prevent lots of websites being unnecessarily hacked in the future. [Read more]

13 Sep 2016

Cross-Site Request Forgery (CSRF) Vulnerability in WooCommerce Product Feed

One of the things we do to provide the best data on vulnerabilities in WordPress plugins is to monitor the wordpress.org Support Forum for threads related to those. Last week we came across a thread indicating that there was cross-site request forgery (CSRF) vulnerability in the plugin WooCommerce Product Feed. When we went to look into this we noticed that version that was supposed to fix this didn’t have any changes that looked related to that. When then asked in thread if the developer was sure that the intended fix was included, they responded yes, but what they said then did to fix the vulnerability had actually been done in version released after we asked them the question, so the truth was that they had not.

Not enough information was given for us to determine if there had actually been the claimed CSRF vulnerability in the plugin, but while looking over the plugin we when original came across the thread, we noticed a cross-site request forgery (CSRF) that exists in the current version of the plugin. [Read more]