Vulnerability Details: Multiple in Simple 301 Redirects – Addon – Bulk CSV Uploader
With our full disclosures of vulnerabilities in protest of the continued inappropriate behavior of the WordPress Support Forum Moderators, one of the criticisms we have gotten is that we are notify our customers before disclosing the vulnerabilities, despite that not being the case. We have always publicly disclosed vulnerabilities at the same time we start warning our customers of them, doing otherwise would raise some serious ethical issues. Other security providers don’t follow that type of practice, one of them being the makers of the NinjaFirewall plugin. Two of the vulnerabilities they are attempting to protect their customers from (though probably only doing so partially) that they haven’t publicly disclosed are a persistent cross-site scripting (XSS) vulnerability and a privilege escalation vulnerabilities in the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader. That plugin was closed on the Plugin Directory on July 28.
...
This post provides insights on a vulnerability in the WordPress plugin Simple 301 Redirects - Addon - Bulk CSV Uploader not discovered by us, where the discoverer hadn't provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so the rest of its contents are limited to subscribers of our service.
If you were using our service, you would have already been warned about this vulnerability if your website is vulnerable due to it. You can try out our service for free and then see the rest of the details of the vulnerability.
For existing customers, please log in to your account to view the rest of the contents of the post.