10 May

How Free Data Sources for WordPress Plugin Vulnerabilities Compare To Us with Possibly Targeted Vulnerable Plugin

One of the reasons why security is in such bad shape despite the enormous amount of money spent on it is that there is a failed market when it comes to security products and services. In simple terms it isn’t currently possible for consumers to make well informed decisions between different products and services due to rampant falsehoods and outright lies about them as well as a lack of watchdogs to limit those or independent entities that provides accurate information needed to be able to make informed decisions. What sticks out to us is how widespread these falsehoods and outright lies are. We often see them in just the somewhat obscure area we deal in, data on vulnerabilities in WordPress plugins.

[Read more]

10 May

Information Disclosure Vulnerability in Google Drive for WordPress (wp-google-drive)

Yesterday we had a request on this website for a file that would be at /wp-content/plugins/wp-google-drive/gdrive-ajaxs.php, which is a file from the plugin Google Drive for WordPress (wp-google-drive). Just about a month ago we had provided more details on an arbitrary file deletion vulnerability in that plugin, which had been incorrectly labeled by the discoverer, Lenon Leite, as being a remote execution (RCE) vulnerability. When exploiting that vulnerability you would send a request to that particular file, but that type of vulnerability is not one that based on past experience, hackers would likely be interested in exploiting. While hackers’ level of interest in that type of vulnerability could have changed, what seems more likely that is someone was either thinking it was a RCE vulnerability, since those have been likely to be exploited in the past, or there was something else that a hacker realized was exploitable in that plugin that would be of more interest.

[Read more]

13 Apr

Vulnerability Details: Arbitrary File Deletion Vulnerability in Google Drive for WordPress (wp-google-drive)

From time to time a vulnerability in a plugin is disclosed without the discoverer putting out a complete report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]