20 Feb

Vulnerability Details: Arbitrary Directory Deletion Vulnerability in WP Fastest Cache

This Vulnerability Details post about a vulnerability in the plugin WP Fastest Cache provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

31 Oct

Full Disclosure of CSRF/SSRF Vulnerability in WordPress Plugin With 800,000+ Installs

One of the impediments we see to improving security of WordPress plugins (as well as security in general) is that security journalist don’t provide a good picture of what is and isn’t going on, so others don’t understand what is actually needed to be done to improve the situation. One recent example comes from Catalin Cimpanu at ZDNet’s Zero Day blog who put forward this one sided (at best) portrayal of the handling of the security of WordPress plugins by the people on the WordPress side of things:

[Read more]

09 Oct

Vulnerability Details: CSRF/XSS Vulnerability in WP Fastest Cache

This Vulnerability Details post about a vulnerability in the plugin WP Fastest Cache provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

02 Mar

What Happened With WordPress Plugin Vulnerabilities in February 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

[Read more]

01 Dec

What Happened With WordPress Plugin Vulnerabilities in November 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

[Read more]

02 Nov

Vulnerability Details: Cross-Site Request Forgery (CSRF) Vulnerability in WP Fastest Cache

This Vulnerability Details post about a vulnerability in the plugin WP Fastest Cache provides the details of a vulnerability we ran across while collecting data on vulnerabliities discovered by others for our data set on vulnerabilities in WordPress plugins, so its contents are limited to customers of our service. If you are not currently a customer, you can sign up for free here. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.

[Read more]

20 Jun

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in WP Fastest Cache

Recently in discussing Wordfence’s problematic practice of disclosing vulnerabilities, but only releasing partial details, in what appears to attempt to try to profit by being the only firewall provider who can protect against these, we mentioned that this practice makes it harder for other to review the vulnerabilities. That is important since we frequently find that vulnerabilites haven’t actually been fixed, they have only been partially fixed, or that the disclosure of one vulnerability will point the way to other vulnerabilities. When it comes Wordfence’s disclosures that concern already wasn’t a hypothetical. The first time they did that type of disclosure, with the Yoast SEO plugin, we found two related vulnerabilites that they had missed (which still have yet to be fixed).

[Read more]

26 May

Protecting You Against Wordfence’s Bad Practices: Local File Inclusion Vulnerability in WP Fastest Cache

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

[Read more]

25 May

Protecting You Against Wordfence’s Bad Practices: Unauthorized Options Update Vulnerability in WP Fastest Cache

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

[Read more]