Login

Tag Archives: WPVulnerability

23 Apr 2025

Developer of Really Simple Security WordPress Plugin Failed to Fully Address CSRF Vulnerability

In January, the developers of the 4+ million install WordPress plugin Really Simple Security vaguely disclosed they had attempted to fix a vulnerability in the plugin. That was done through one of the changelog entries for version 9.2.0, “Fix: Added nonce check to certificate re-check button.” That is a reference to addressing a cross-site request forgery (CSRF) vulnerability. Checking on that months later, we found that the fix had been incomplete and that competing vulnerability data sources had failed to properly vet this and claimed that the issue was fully addressed. That includes the data source used by Really Simple Security, so their own users have not been warned the plugin is still vulnerable.

Looking at the changes made in that version, the changelog references a change made in the file /class-admin.php. That file is run during admin_init, which makes it accessible to anyone: [Read more]

27 Jul 2023

Really Simple SSL Plugin Is Falsely Claiming That WordPress Plugins Contain Vulnerabilities

The Really Simple SSL plugin became popular, with 5+ million installs, as a simple WordPress plugin and then the developer started bloating it with unrelated features. One of those was adding plugin vulnerability alerts. They recently explained doing that this way:

“We figured that with our reach we could impact security on the web as a whole, by adding features in order of impact on security,” Hulsebos said. “So vulnerabilities, after hardening features specific to WordPress, was next. [Read more]

8 Nov 2022

New WordPress Plugin Vulnerability Data Sources Are Just Copies of Existing Inaccurate Sources

Last week, we wrote about confusion over whether a claimed vulnerability in a WordPress plugin exists if it hasn’t been mentioned by a particular data source. That was in the context of a developer claiming there wasn’t a vulnerability in the plugin because it wasn’t mentioned by one of those, WPScan, despite being included in another, Patchstack. We also noted that Patchstack had not provided the information needed for anyone else to confirm their claim of a vulnerability.

Someone involved in yet another data source submitted a comment on that post, though it appears they didn’t pay attention to what the post said, to the detriment of those relying on it. Part of what they said in promoting their data source is they had this vulnerability in its data set. That isn’t surprising since on their website they admit to copying information from Patchstack. They didn’t address the inability to confirm the claimed vulnerability, which someone would want to before adding it to their data set. [Read more]