While reviewing the second attempt to address a vulnerability related to failure to properly sanitize, validate and or escape shortcode attributes in the WordPress plugin Download Manager. We found another issue that still hasn’t been addressed. It involves a shortcode located in the file /src/Category/Shortcodes.php. The shortcode wpdm_category_link calls the function categoryLink() in that file:
…
WPScan is claiming that the latest version of Event Tickets fixed a Contributor+ arbitrary events access vulnerability, which they described this way:
…
Two days ago, we discussed one vulnerability that was recently fixed in the WordPress backup plugin FastDup, while looking into why a hacker might be targeting the plugin. There was another vulnerability that was supposed to have been fixed. Patchstack claimed that there had been a sensitive data exposure via log file vulnerability in the plugin. As usual, they didn’t provide the information needed to check if the vulnerability was real and if it was real, it had been fixed. It appears either they got some basic details wrong about the vulnerability and it wasn’t fixed or what they were claiming was a vulnerability wasn’t a vulnerability, but there was a similar vulnerability really in the plugin. Confused? So are we. So let’s go through what we found.
The vulnerability was supposed to be fixed in version 2.1.8 of the plugin. The change made in that version was to modify an additional value added to filenames of files created by the plugin from the current time using the PHP function time() to a randomly generated value. That would make it harder to guess the names of files, but with either one, it isn’t something that would be easy to guess, unless you knew when a backup was made. The files should be blocked from being accessed directly, so the name shouldn’t even matter. [Read more]
One of the changelog entries for the latest version of the WordPress plugin Link Whisper Free is:
…
Automattic is the company from the head of WordPress, Matt Mullenweg. Among its operations, it sells access to (often inaccurate) information on vulnerabilities in WordPress plugins through WPScan. Earlier this week WPScan added an entry for a claimed vulnerability in Automattic’s WooCommerce plugin, which has 5+ million installs according to WordPress’ data. They claimed the vulnerability had been fixed in version 7.0.1:
As we have noted multiple times recently, contrary to claims made by other security providers, WordPress plugins continue to have a steady supply of new vulnerabilities being introduced in to them. That includes widely used plugins. We continue to work to improve our ability to catch those in plugins used by users of our service. One method is using machine learning, a form of artificial intelligence (AI), to try to catch vulnerabilities being introduced in to plugins. As that is something that improves with more data, the longer we are collecting data, the better it should get and the more vulnerabilities we can catch for our customers.
Yesterday, that monitoring flagged an update to the 300,000+ install plugin WPvivid Backup as possibly introducing a vulnerability. Looking over the changes being made, we found that a new function was added to the plugin and made accessible to anyone logged in to WordPress through its AJAX functionality: [Read more]
Last month, security provider Tenable claimed that an authenticated SQL injection vulnerability had existed in the WordPress plugin ReviewX and was fixed in version 1.6.4. It turns out the vulnerability hasn’t been fixed.
The CVE system allowed Tenable to create a CVE ID for this, CVE-2023-26325, and didn’t check to make sure the claims were accurate [Read more]
Automattic’s WPScan recently claimed that the plugin Welcart e-Commerce had contained an authenticated arbitrary file viewing vulnerability that they discovered:
…
A recent version of the WordPress plugin Download Monitor had a changelog that indicated that a security vulnerability might have been fixed, “Fix: Security fix”. Looking at the changes made seemed to show that the developer might have been improperly fixing a vulnerability and further checking confirmed that was the case.
…
Recently 21 WordPress plugins from the developer YITH have been updated with a vague changelog entry that they “patched security vulnerability”. The security vulnerability patched allowed anyone logged in to WordPress to view the contents of two log files if they existed on websites. One of those could contain sensitive information, as it would contain information logged for PHP errors. If the functionality had previously been used, then other users could access them as well. The latter issue hasn’t been resolved.
Among the plugins affected are the 900,000+ install YITH WooCommerce Wishlist, 200,000+ install YITH WooCommerce Compare, and two plugins with 100,000+ installs, YITH WooCommerce Ajax Product Filter and YITH WooCommerce Quick View. [Read more]
