Earlier today, we had an apparent hacker probing our website to see if we were using the WordPress plugin Cookie Information with this request:
/wp-content/plugins/wp-gdpr-compliance/Assets/js/front.min.js [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability being introduced in to the plugin Cozy Blocks today. The vulnerability is in part caused by wider insecurity in the plugin and there are additional vulnerabilities in the plugin, so we would recommend avoiding the plugin unless the security is overhauled.
We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability being introduced in to the plugin WPGetAPI. The vulnerability allows anyone logged in to WordPress to break the website.
The vulnerable code comes from a new import feature of the plugin. The related new export feature looks to be similarly insecure as well. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability in the plugin WP Courses. That allows a logged in attacker to change arbitrary WordPress options and they could use that to create a new WordPress account with administrator privileges. There are probably more vulnerabilities with similar code still lurking in plugins, as this was caught by a recent expansion of our motioning for that type of vulnerability. That vulnerability has been in the plugin for 22 months, without being noticed it appears.
We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We don’t have time to review everything that is flagged by that. As one piece of code flagged, which we only got a chance to look into 13 months after it was introduced in to a plugin, shows, it doesn’t look like much of anyone else is joining us in doing that type of monitoring. That code turned out to cause a vulnerability that would allow an attacker with access to an account on the website, even a low level account, to take over the website. Unsurprisingly, that is a type of vulnerability that hackers are known to exploit. The vulnerability is in the plugin WooODT Lite.
As is often the case with plugins with serious vulnerabilities, the plugin extends the popular eCommerce plugin WooCommerce. Despite being used on websites with additional security risk and probably more money tied to them, it doesn’t appear those plugins are getting reasonable security scrutiny. If anyone is looking to have that happen for a WordPress plugin they use, we can do a security review. [Read more]
WordPress security providers have been claiming for years that the security of WordPress plugins is improving. Here was how the WP Tavern put it as coming from Patchstack in March:
The report emphasized that the increase in the number of vulnerabilities reported means that ecosystem is becoming more secure as the result of more security issues being found and patched. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability in the plugin WP Compress. The vulnerability is in part caused by wider insecurity in the plugin and there are additional vulnerabilities in the plugin, so we would recommend avoiding the plugin unless the security is overhauled.
We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]
A lot has been made about the possible security risk with code created by ChatGPT whether in WordPress plugins or otherwise. A more pedestrian risk is that WordPress plugins that interact with that are themselves insecure, whether written by ChatGPT or not. Last week, one of those plugins, AI Power, which is described by the developer as the “most popular, WordPress-based open-source AI solution” started introducing a serious vulnerability in to the 10,000+ websites using it. The vulnerability allows those logged in to WordPress to change arbitrary WordPress options (settings), which among other things could allow them to take over the website by allowing them to create new WordPress accounts with the Administrator role.
Our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught that. [Read more]
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, a an authenticated option update vulnerability in a brand new plugin, Users Control.
We now are also running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. [Read more]
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability in a brand new plugin, LWS Optimize.
We now are also running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. [Read more]