Login

Tag Archives: WP GDPR Compliance

20 Nov 2018

CEO of Security Company Alertot Claims the Company Left Websites Running WP GDPR Compliance to Be Hacked

When it comes to the response from the security industry to the exploitation of a vulnerability in the WordPress plugin WP GDPR Compliance things keep getting worse. You would think that telling people to update the plugin after it was already widely exploited instead telling them truth they should be keeping their plugins up to date at all times (which would lessen the need for their services) or lying and telling people that your service covered them when it didn’t, would be bad enough. But while looking into something related to another possibility vulnerability that had been in that plugin we came across as post from the CEO, Claudio Salazar, of a security company we had not heard of before, Alertot, who claimed this about the other serious vulnerability that definitely had had been in the plugin:

We have been monitoring this plugin for some months because we discovered a serialization bug around May and added it to our private vulnerability database at alertot. [Read more]

9 Nov 2018

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.

Seeing as there are lots of people that still haven’t gotten the message about these services should be avoided if there isn’t evidence that shows effectiveness, we thought it would be worth emphasizing and expanding on something we mentioned in a post yesterday where websites could have been protected by doing one of the basics of security, keeping WordPress plugins up to date, while a security service failed to protect them while being promoted as being able to do that. [Read more]

8 Nov 2018

Unlike Wordfence and Other Security Providers We Warned About WP GDPR Compliance Before Websites Started to Get Hacked

When it comes to protecting WordPress websites against vulnerabilities in plugins we provide a level of protection that others don’t for the simple reason that we do the work they don’t (but that they absolutely should be doing). The result can be seen with the plugin WP GDPR Compliance, which had multiple vulnerabilities fixed in version 1.4.3.

We had been warning our customers of one of those before you could even normally upgrade to that version of the plugin as the plugin was closed at the time (we warned our customers that it was at high likelihood of exploitation). At that time we could have help our customers to upgrade to 1.4.3 and then shortly after we started warning them the plugin was re-opened and they could upgrade normally. That all occurred yesterday. [Read more]

8 Nov 2018

Vulnerability Details: Option Update Vulnerability in WP GDPR Compliance

Yesterday we discussed a PHP object injection vulnerability that had been fixed in the plugin WP GDPR Compliance in relation to a topic on the WordPress Support Forum related to a plugin being installed on websites. Today there have been several reports claiming that websites were hacked through WP GDPR Compliance to create new Administrator accounts, which seems likely to be caused by code related to the vulnerable code we discussed with the PHP object injection vulnerability. That issue is described, though not detailed by Adrian Mörchen in an entry on the WPScan Vulnerability Database.

[Read more]

7 Nov 2018

Vulnerability Details: PHP Object Injection Vulnerability in WP GDPR Compliance

Yesterday the plugin WP GDPR Compliance was closed on the Plugin Directory, the reason given by the developer is that was done by the “WordPress Plugin Review Team after finding a security flaw“.  It isn’t clear if what is the full explanation of this, but the closure may be related to recent message on a topic on the forum we mentioned before where a plugin was being installed by hackers on websites. It isn’t clear whether there was actually a connection between the security of this plugin and that situation, as the messages states:

[Read more]