Login

Tag Archives: WP Server Health Stats

2 Jan 2024

Cross-Site Request Forgery (CSRF) Vulnerability in WP Server Health Stats

The changelog for the latest version of the WordPress plugin WP Server Health Stats is “Fixed CSRF vulnerability (CVSS 3.1 score) reported by Patchstack.” Looking at the changes made we found that referred to attempting to address an issue that allows an attacker to cause someone logged in to WordPress to purge the plugin’s cache without them intending it, which would be a cross-site request forgery (CSRF) vulnerability. The developer had attempted to fix that it in the new version, but didn’t do so correctly, so the really minor vulnerability still exists.

[Read more]

10 Mar 2023

Not Really a WordPress Plugin Vulnerability, Week of March 10

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Authenticated (Administrator+) Stored Cross-Site Scripting in All in One SEO

Wordfence claimed that the plugin All in One SEO had contained a authenticated (Administrator+) stored cross-site scripting vulnerability, which they described in part this way: [Read more]