Login

Tag Archives: Arbitrary File Viewing

5 Jan 2024

Hackers Relying on WordPress Security Providers’ Information to Target Vulnerabilities in WordPress Plugins

Today, we had a hacker try to exploit a vulnerability recently fixed in the WordPress plugin WP Compress on our website. In looking into that, we found another instance where it looks like hackers are relying on information coming from WordPress security providers to determine what vulnerabilities to target.

In the logging for our own firewall plugin, it showed an attack blocked for this URL, /wp-content/plugins/wp-compress-image-optimizer/fixCss.php?css=wp-content/../wp-config.php: [Read more]

9 Jun 2023

Our Proactive Monitoring Caught an Arbitrary File Viewing Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an arbitrary file viewing vulnerability being added to the plugin WPYog Documents.

We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]

8 Sep 2022

Here Is the Incredibly Insecure Exploited Code in a Plugin From the Developer of iThemes Security

Two days ago the developer of the iThemes Security plugin, which is one of the most popular WordPress security plugins, disclosed that another of their plugins, BackupBuddy, had a zero-day vulnerability. A zero-day vulnerability is one that is being exploited before the developer is aware of it. That seems like a big story, but when the vulnerability was covered by the WP Tavern, there was no mention of iThemes Security or question raised about what that says about the state of WordPress security plugins.

iThemes’ post also makes this strange claim: [Read more]

18 Jul 2022

Hacker Exploiting Unfixed Vulnerability in WooCommerce Extending Plugin MultiSafepay

The security of plugins that extend the WordPress ecommerce plugin WooCommerce is often poor, something that the developer of WooCommerce, Automattic, hasn’t taken an interest in addressing. Another part of Automattic claims to provide some protection against that, but isn’t delivering that. Automattic’s WPScan is promoted with this claim:

Be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes. [Read more]

15 Apr 2022

Brand New WordPress File Manager Plugin Allows Anyone to View and Upload Arbitrary Files

Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:

After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]

16 Jun 2021

Our Proactive Monitoring Caught an Arbitrary File Viewing Vulnerability Being Introduced in to a WordPress Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. That has led to us catching a vulnerability of a type that hackers are likely to exploit if they know about it being introduced in to a plugin. That vulnerability being an arbitrary file viewing vulnerability, which hackers frequently try to exploit to gain access to the database credentials for WordPress websites, in the plugin Law Practice Management Software.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. That tool also flags many other instances of insecure code in the plugin, which is rather concerning as the plugin is intended to be used by lawyers. [Read more]

28 Jun 2019

Vulnerability Details: Arbitrary File Viewing in MapSVG Lite

The plugin MapSVG Lite got flagged by our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and when went to look into what was identified by that we found that the plugin was closed on the WordPress Plugin Directory yesterday. That appears to have happened due to a security issue, but a different one than our monitoring picked.

[Read more]