7 Mar 2023

You Can’t Trust WordPress Plugin Developers’ Claims That Their Plugins Are Free of Security Vulnerabilities

In December, we wrote about how to check if WordPress plugins are secure. One of the things we mentioned that you can’t rely on is claims made by plugin developers about their handling of security. As a recent issue with one developer, 10Web, shows developers will continue making extraordinary claims about security even in spite of their poor security leading to websites being hacked.

Recently, we saw what appeared to be a hacker probing for usage of one of 10Web’s plugins. Here is part of what we wrote about what we found when we took a quick look over the plugin: [Read more]

14 Feb 2023

Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target

In June 2021, the WordPress security provider Patchstack announced that they were partnering with WordPress plugin provider and web host 10Web. Patchtack claimed that they and 10Web were working together to “help strengthen the WordPress ecosystem.” It was a curious claim at the time, considering that 10Web was at that very time failing to fix a vulnerability they knew about in two of their plugins with 320,000+ installs. (One of those plugins has now been closed on the WordPress Plugin Directory since June 2022 because of a “Security Issue.”) The partnership hasn’t led to 10Web’s plugins getting more secure.

In July of last year, the plugin 10Web Booster was introduced on to the WordPress Plugin Directory. If you believed 10Web’s marketing, you would believe that the plugin would have been properly secured: [Read more]

11 Nov 2022

WordPress Plugin Developer Security Advisory: 10Web

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

16 Jun 2022

10Web’s Event Calendar WD (EventCalendar) Contains Authenticated Information Vulnerability and Other Security Issues

One of the more troubling aspects of the poor security of WordPress plugins is that so many companies are both handling the security of their plugins rather poorly and trying to profit from the insecurity that they are helping to create. We discussed one example of that a year ago, involving plugin developer 10Web’s poor handling of the security of their plugins, while selling a security service and partnering with another company that is trying to profit off the insecurity, Patchstack. That post dealt in part with 10Web’s failed attempt to a fix a vulnerability in the Event Calendar WD (EventCalendar) plugin and the subsequent failure to get that resolved after we let them know it hadn’t been fixed. While the partnership with Patchstack was supposed to improve the security of the WordPress ecosystem, it didn’t even lead to 10Web’s plugins being properly secured.

On Monday, Event Calendar WD was closed on WordPress Plugin Directory. Unhelpful for those using it, no explanation was provided on why it was closed (as is the case with all plugin closures there). As at least one of our customers is using the plugin, we took a look to see if there might be a serious vulnerability that could have led to the closure, which we should be warning them about. We didn’t find such a vulnerability. But just in the limited checking we did for that, we found various security issues with the plugin. We confirmed there is at least one vulnerability and there are likely others. [Read more]

21 Jul 2021

Our Proactive Monitoring Caught a CSRF/Arbitrary File Upload Vulnerability in One of 10Web’s Plugins

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a cross-site request forgery (CSRF)/arbitrary file upload vulnerability in the plugin 10WebEcommerce. The developer of that plugin, 10Web, also offers what they claim is the “Most Trustable WordPress Security Service”, despite this not being the first time we have run in to a vulenrability in one of their plugins recently.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

24 Jun 2021

10Web Partners With Patchstack While Leaving Their WordPress Plugins Vulnerable

One of the realities when it comes to security surrounding WordPress is that many companies market themselves as caring about security while not really caring about it. Sometimes they even join forces.

Yesterday we mentioned one security provider Patchstack, in the context of they and their Red Team not having a basic understanding of WordPress security. While looking more into Patchstack we found that last week they announced a partnership with 10Web. The claims made by 10Web in that announcement are in direct conflict with what we have seen from them in trying to work with them to fix a security vulnerability in one of their plugins, and what we have seen of Patchstack. We also found that at least one more of their plugins, with 300,000+ installs, also contains the same vulnerability we have tried to work with them to fix in one of their plugins. [Read more]

14 May 2019

Authenticated Local File Inclusion (LFI) Vulnerability in Photo Gallery by 10Web

Earlier today we detailed a vulnerability for our customers in a plugin by 10Web/TenWeb/Web-Dorado, where, while the vulnerability was fixed, the code still wasn’t properly secured. So that made what we then found while looking into the possibility that a vulnerability had also been fixed in their Photo Gallery (Photo Gallery by 10Web) plugin not all that surprising. While trying to confirm that there had been authenticated persistent cross-site scripting (XSS) vulnerability that had been fixed in the plugin we got an error message that indicated there was and we then confirmed still is an authenticated local file inclusion (LFI) vulnerability in the plugin. It really isn’t a great sign as the security of WordPress plugins that you can accidentally run into a vulnerability in a plugin with 300,000+ installs (according to wordpress.org).

The error message indicated that user input from a shortcode generated through the plugin was being passed in to the following line of code in the file /frontend/controllers/controller.php through the variable $view: [Read more]