Login

Tag Archives: Yet Another Related Posts Plugin (YARPP)

1 Nov 2018

PHP Object Injection Vulnerability in Yet Another Related Posts Plugin (YARPP)

In our previous post we mentioned what looks to be a hacker trying to exploit a vulnerability in the plugin Yet Another Related Posts Plugin (YARPP), though one that we couldn’t see where it could do anything of note. While looking into that we noticed another security issue in the plugin, one that is of most concern if the plugin is no longer supported, which seems to be the case. It also is yet another reminder we really need to review the security of the plugins that we use since there would be multiple reasons we would have noticed this issue if we had checked over the plugin when we used it.

The plugin contains a function that makes a request to the domain name yarpp.org to check if there is a new version of the plugin available. The problem is that code introduces a PHP object injection that could be exploited by someone that controlled that domain, which would be much easier to accomplish if the domain name isn’t renewed by the plugin’s developer. The relevant portion of the function, which is located in the file /classes/YARPP_Core.php, is as follows: [Read more]

1 Nov 2018

The Head of the Plugin Directory Mika Epstein Seems Like the One Acting Stupidly Here

When it comes to improving the security of WordPress plugins the two things that stand out that are of most need and have been for years, are warning people when they are using vulnerable plugins and for serious vulnerabilities, which are likely to be exploited, putting out fixes if the developer doesn’t. The reason that hasn’t happened isn’t because of say a lack of resources, before we suspended doing it last year due to continued bad behavior by people on the WordPress side of things, we were to a large degree single handedly making sure that plugins in the Plugin Directory with public disclosed unfixed vulnerabilities didn’t remain in it (when we stopped they started piling up in it). We easily could provide fixes for the vulnerabilities that are likely to be exploited as well. Instead, the reason for the lack of doing those things is that the people on the WordPress side, for reasons that don’t make sense, are blocking those things from happening.

When we say they don’t make sense take the head of team running the Plugin Directory Mika Epstein claimed that you shouldn’t even warn about unfixed vulnerabilities even if they are being exploited: [Read more]