Tag Archives: WP DSGVO Tools (GDPR)

28 Sep 2021

Mika Epstein and Samuel “Otto” Woods Block 30,000+ WordPress Websites From Getting Critical Security Update

What continues to be one of the worst aspects of dealing with the security of WordPress plugins is that it would be so easy to get to a much better situation, if not for the people that Matt Mullenweg, the head of WordPress, has empowered to run the WordPress Plugin Directory. There are easy changes that could be made, but don’t happen because of them. One of them has been impacting 30,000+ websites using the plugin WP DSGVO Tools (GDPR).

A Recipe for Bad Results

You can tell that something is very amiss with the team running that directory when you see that there are only claimed to be four people on the team. By comparison, the team running the theme directory has 10 people listed being listed as being Team Representatives and Theme Moderators (presumably there are more people below that level). The theme directory is listed as currently having nearly 9,000 themes, while the plugin directory is listed as having about 59,000 plugins, so you would expect the plugin team to be larger, not smaller. It isn’t for a lack of interest, instead they claim they can’t add more members: [Read more]

Plugin Vulnerabilities Posted in Analysis Analysis, Mika Epstein, Otto, Samuel Wood, WP DSGVO Tools (GDPR) Leave a comment

22 Sep 2021

Recently Closed WordPress Plugin With 30,000+ Installs Contains Type of Vulnerability Hackers Target

The WordPress plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory on Monday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities that we should be warning users of the plugin that also use our service, we found just such a vulnerability in the plugin. The plugin has a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which would allow an attacker to cause JavaScript code to be run on the website. The latter vulnerability is a type that hackers are known to target.

We tested and confirmed that our upcoming firewall plugin for WordPress protects against the exploitation of the persistent cross-site scripting (XSS) vulnerability. [Read more]

Plugin Vulnerabilities Posted in Closed Plugins, Vulnerability Report Closed Plugins, Persistent Cross-Site Scripting (XSS), Settings Change, Vulnerability Report, WP DSGVO Tools (GDPR) Leave a comment

23 Aug 2019

Closures of Very Popular WordPress Plugins, Week of August 23

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and both of them have been reopened. [Read more]

Plugin Vulnerabilities Posted in Closed Plugins Closed Plugins, Post SMTP, WP DSGVO Tools (GDPR) Leave a comment

22 Aug 2019

GDPR Plugins for WordPress Continue to Be Insecure

The European Union’s General Data Protection Regulation (GDPR) is a data protection law that when it comes to WordPress websites is causing them to be less secure, not because of the law itself, but because the plugins for dealing with that haven’t been properly secured. In October of last year we noted that the plugin WP DSGVO Tools (GDPR) contained a PHP object injection vulnerability, which then remained in the plugin for two more months. The plugin was closed on the WordPress Plugin Directory today. That is one of the 1,000 most popular plugins with 40,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service we found the possibility of one of those, though the relevant code that makes it operational looks to only be available in the commercial version of the plugin. We did confirm a less serious related vulnerability exists.

With just the vulnerability we confirmed there are multiple pretty obvious security problems, so there likely are more security issues with the plugin. [Read more]

Plugin Vulnerabilities Posted in Closed Plugins, Vulnerability Report Closed Plugins, Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS), Vulnerability Report, WP DSGVO Tools (GDPR) Leave a comment