Back in September, the developer of the 2+ million WordPress plugin MC4WP: Mailchimp for WordPress and Wordfence claimed that a minor vulnerability had been fixed. The fix was obviously incomplete and it turns out the issue is wider than that.
…
On Friday, WPMU DEV partially released a security update for the WordPress plugin Broken Link Checker. The changelog for the new version is “Fix: Patched a vulnerability issue.” There are a couple of problems with that. First, they didn’t set it, so the update is being offered to those already using the plugin or new users. Second, the fix was incomplete. Unsurprisingly, the developer is part of the Patchstack Vulnerability Disclosure Program, which signals that the developers are not handling security right and not making sure issue are fully addressed.
…
Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for FV Gravatar Cache.
If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]
April was the ninth full month our Plugin Security Scorecard was available. A fair amount of plugins were checked. A total of 77 plugins were checked last month. With 5 of those plugins being security plugins.
The overall results were not great. Only one plugin got an A. No plugins got an A+ or B+. Those three grades require the developer of the plugin to be taking proactive measures with security, so most plugin developers are not taking measures to provide the best security. 16 of the plugins did get a B, which requires that they are avoiding unnecessary security issues. [Read more]
Earlier this week someone checked the 600,000+ install WordPress plugin BackWPup through our Plugin Security Scorecard. That flagged a variety of issues including code that isn’t properly secured against reflected cross-site scripting, usage of security functions in a way that they provide no protection, and usage of an outdated version of a third-party library that contains five developer disclosed security issues:
The oldest of those security issues in the library was disclosed in May 2022. So the developer hasn’t updated the library in at least 3 years. It turns out it is even longer than that, as the version in use is 3.8.1, which was superseded in March 2014. [Read more]
Today, we have had two requests on our website checking if we were using a WordPress plugin by checking for the readme.txt file for it. The requests were for the path /wp-content/plugins/baiduseo/readme.txt. Those appeared to come from a hacker. Why would that be? Well the plugin, SEO合集(支持百度/Google/Bing/头条推送), was closed on the WordPress plugin directory yesterday:
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. For our customers, we also run the plugins they use through an expanded version of that monitoring on a weekly basis. (Which is a good reason to use our service.) Through that, we caught a variant of one of those vulnerabilities, an authenticated media deletion vulnerability, in the plugin Modula.
In the file /includes/admin/class-modula-gallery-upload.php, the function ajax_unzip_file() is registered to be accessible to those logged in to WordPress: [Read more]
One of the changelog entries for the latest version of the WordPress plugin PrettyLinks is “Minor bugfixes and security hardening.” Looking into that, we found that there was more security hardening that probably should be done.
…
During the weekend an apparent hacker made multiple requests on our website for a file that would be located at /wp-content/plugins/google-listings-and-ads/vendor/googleads/google-ads-php/scripts/print_php_information.php. That would be a file that would be part of the Google for WooCommerce, which is developed by the company from the head of WordPress, Automattic. That file turned out to be in two other plugins, one of which is still vulnerable and still in the WordPress Plugin Directory. Something that WordPress and other WordPress security providers have missed. It also is still in the library from Google that it is originally from.
The file doesn’t exist in the current version of Google for WooCommerce. It was removed from the plugin in version 2.8.7, which was released on November 14. In the changelog, that change was described as “Fix – Remove a Google Ads API vendor file that prints php information.” The contents of the file before that were: [Read more]
Yesterday, we had a series of strange hacking attempts launched against our website. Here, for example, was one attempt that was logged by our systems:
118.179.26.34 8 /wp-admin/admin-ajax.php Array
(
[action] => wp_ajax_some_action
[sql] => 1 UNION SELECT user, password FROM wp_users
) [Read more]
