Login

Tag Archives: WP SVG Icons

27 May 2022

Not Really a WordPress Plugin Vulnerability, Week of May 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in WP Statistics

Automattic’s WPScan made this claim about a supposed reflected cross-site scripting vulnerability in the plugin WP Statistics: [Read more]

19 Apr 2022

Recently Closed WordPress Plugin with 40,000+ Installs Contains Privilege Escalation Vulnerability

On Monday, the WordPress plugin WP SVG Icons was closed on WordPress Plugin Directory. Because that is one of the 1,000 most popular plugins in that directory (it has 40,000+ installs), our systems warned us about the closure and we started checking over the plugin to see if there was a vulnerability we should warn customers of our services about. What we found was that it at least contains a minor vulnerability.

The plugin registers the function svg_delete_custom_pack_ajax() to be accessible through WordPress’ AJAX functionality by anyone logged in to WordPress: [Read more]

26 Jul 2019

Closures of Very Popular WordPress Plugins, Week of July 26

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and both of them have not been reopened. [Read more]

22 Jul 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Arbitrary File Upload in WP SVG Icons

The plugin WP SVG Icons was closed on the WordPress Plugin Directory on Saturday. Due to it being one of the 1,000 most popular, with 50,000+ installs, we were alerted to the closure. By the time we went to check to see if there were any security issues in the plugin a new version had already been submitted to fix a cross-site request forgery (CSRF) vulnerability that allows uploading arbitrary files. There are still a couple of very minor CSRF vulnerabilities that appear to still be unfixed and some other possible security issues.

[Read more]