Login

Tag Archives: WP Engine

19 Apr 2023

WP Engine Didn’t Disclose They Were Fixing Vulnerability in 200,000+ Install WordPress Plugin

Recently, the WordPress security provider Patchstack claimed that a cross-site request forgery (CSRF) vulnerability had been fixed in the 200,000+ install WordPress plugin PHP Compatibility Checker. Patchstack has a track record of providing inaccurate information on vulnerabilities in WordPress plugins, so you can’t take them at their word that there really was a vulnerability or that it has been fixed. Unfortunately, they also don’t provide basic information to double check their claims. In this case, they provide this description of what CSRF as the “details” of the vulnerability:

 Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress PHP Compatibility Checker Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.6.0. [Read more]

5 Apr 2023

WP Engine’s New WordPress Plugin Contains CSRF Vulnerability

From what we have seen, WP Engine has a reputation for having a good handle on security, despite having a bad track record going back many years. In line with that track record, we found that the WordPress plugin they released on the WordPress Plugin Directory last week, Pattern Manager, lacks a basic security check leading to a minor vulnerability.

In the file /wp-modules/editor/model.php, the plugin registers for the function redirect_pattern_actions() to be accessible to even those not logged in to WordPress: [Read more]

3 May 2018

We Wouldn’t Call WP Engine A Good Web Host for Providing Inaccurate Data on WordPress Plugin Vulnerabilities to Their Customers

When it comes to getting information on the security issues in WordPress plugins, developers of plugins are not always the best source. That is the case with a persistent cross-site scripting (XSS) vulnerability discovered by Federico Scalco that was in the plugin Caldera Forms. While that was claimed by the discoverer of the vulnerability, the developer of the plugin, and all of the other data sources of vulnerabilities in WordPress plugins we are aware of, to have been fixed in version 1.6.0 of the plugin, it actually wasn’t, as testing out the claimed vulnerability would have show any of them (the ease of testing that would will be something we will go into in another post). If you were using our service you would have been correctly notified that it hadn’t been fixed.

That has now been fixed in version 1.6.1.1. Here what the developer wrote about that: [Read more]