While going over something recently we noticed we had failed to include a likely to be exploited vulnerability in the plugin WP Live Chat Support in our data set (we had warned about multiple other vulnerabilities at the time this was fixed, including another of the same type).
…
On Friday we noted that the moderators of the WordPress Support Forum were getting in the way of people trying to discuss dealing with being hacked due to a vulnerability that had been in the plugin WP Live Chat Support. Looking again yesterday showed that has continued. Here is one topic that was closed without explanation why that even happened. With another one, it was closed due to someone mentioning they were using a pro version of the plugin, that is even though the issue the person was bringing up was caused by the vulnerability being exploited, which has nothing to do with a pro version. Someone could have pointed that out to the moderator that closed it, if they hadn’t closed the topic (not surprisingly the problematic moderator there was once again Jan Dembowski).
Looking at the reviews of the plugin we noticed one from over the weekend titled “Lost a ton of business. Infected with malware.“: [Read more]
While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.
This week three of those plugins were closed and one is currently closed. [Read more]
On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.
As of few hours ago a topic on the WordPress Support Forum started up with people discussing that they had been hacked and trying to understand what was going on. Like clockwork the moderators of the Support Forum started causing problems. Numerous replies have been deleted, many of them without any apparent reason, and then the topic was closed. One of the moderators we have frequently seen causing problems (and someone that we are not the only ones to believe they have serious issues, which should probably preclude them from being in that role), explained the closure this way: [Read more]
Yesterday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) in the plugin WP Live Chat Support, which was also fixed yesterday. That vulnerability is likely to be exploited soon. As we started looking over things while adding the vulnerabilities to our data set yesterday, so we could warn the customers of our service if they are using an impacted versions, we found that there are multiple additional security issues caused in part the same security issue that was partially fixed (yes, even the vulnerability fixed, was only actually partially fixed). There is, for example, another setting change vulnerability, though one that doesn’t look to lead to a more serious vulnerability. What stood out more for the seriousness, but also what type of functionality the vulnerability is in, is an information disclosure vulnerability that exposes chat logs and meta data related to those chats to anyone, which occurs through General Data Protection Regulation (GDPR) functionality. So functionality related to data protection does the opposite.
The GDPR functionality already was implicated in two vulnerabilities, based on the changelog entries for previous versions of the plugin: [Read more]
From time to time a plugin is closed on the Plugin Directory for an unexplained security issue without the discoverer putting out a report on the vulnerability and we will put out a post detailing the possible vulnerability that led to that so that we can provide our customers with more complete information on the security of plugins they use.
…
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during May (and what you have been missing out on if you haven’t signed up yet): [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during April (and what you have been missing out on if you haven’t signed up yet): [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during August (and what you have been missing out on if you haven’t signed up yet): [Read more]
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
…