Authenticated Option Update

9 Aug 2022

WooCommerce Extending Plugin With 100,000+ Installs Contains Authenticated Option Update Vulnerability Possibly Targeted by Hacker

Early today a topic on the support forum for the WordPress plugin WOOF, which extends WooCommerce and has 100,000+ active installations, suggesting that a security issue in might be being exploited. The poster wrote this:

Can you elaborate on what you did here for the fix? We noticed a lot of client’s had products from like other sites that were not related. Curious to know what happened if anything on your end. [Read more]

2 Aug 2022

Hacker Probably Targeting This Authenticated Option Update Vulnerability in Make’s WordPress Plugin

Yesterday we had what appeared to be a hacker probing for usage of the Make’s (formerly Integromat) WordPress plugin on our website with the following request:

/wp-content/plugins/integromat-connector/assets/iwc.js [Read more]

5 Apr 2022

WooCommerce Payment Plugin Targeted by Hacker Contains Multiple Serious Vulnerabilities

Late last week, third-party data we monitor showed what looked to be a hacker probing for usage of a WordPress plugin that handles payment processing for the WooCommerce plugin, ЮKassa для WooCommerce, through requests for this file:

/wp-content/plugins/yookassa/assets/js/yookassa-admin.js [Read more]

22 Mar 2022

Two WordPress Plugins With 60,000+ Installs Contain Authenticated Option Update Vulnerability

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, an authenticated option update vulnerability in the plugins Stop Generating Unnecessary Thumbnails, which has 40,000+ installs, and CoDesigner, which has 20,000+ installs. Those plugins are from the same developer, so other plugins from them might be affected as well. This is also the second time our proactive monitoring has identified fairly serious vulnerabilities in the plugins (the previous instances involved separate vulenrabilities).

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

12 Jan 2022

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in a WordPress Plugin with 40,000+ Installs

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability, in the plugin Stop Generating Unnecessary Thumbnails, which has 40,000+ installs.

We now are also running all the plugins used by customers through that on a weekly basis, to provide additional protection for our customers. [Read more]

7 Jan 2022

Our Plugin Security Checker Identified an Authenticated Option Update Vulnerability in a WordPress Plugin with 20,000+ Installs

One of the tools we have developed to help keep websites secure from vulnerabilities in WordPress plugins is our Plugin Security Checker, which identifies the possibility of some instances of vulnerabilities in plugins. One way we work to improve the quality of the results produced by that is doing occasional checks of results of plugins people are running through that. Through that we confirmed that the plugin Material Design for Contact Form 7, which has 20,000+ installs, contains a fairly serious type of vulnerability, an authenticated option update vulnerability. Though the specifics limit the ability for it to be abused in a non-targeted attack.

The tool identified the following code as possibly vulnerable: [Read more]

8 Dec 2021

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WP Leads Builder For Any CRM

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an authenticated option update vulnerability, in the plugin WP Leads Builder For Any CRM.

Through the same monitoring, we identified the same type of vulnerability in another of the developer’s plugins three weeks ago. We put out an advisory on the developer due to continued poor handling of security over five years ago. [Read more]

18 Nov 2021

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in Visual Email Designer for WooCommerce

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, an authenticated option update vulnerability, in the plugin Visual Email Designer for WooCommerce.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

22 Jun 2021

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WordPress Plugin INDIGITALL

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated option update vulnerability in the plugin INDIGITALL, which can also be exploited through cross-site request forgery (CSRF).

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

28 May 2021

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in Content Mask

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated option update vulnerability in the plugin Content Mask, which can also be exploited through cross-site request forgery (CSRF).

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Authenticated Option Update

WooCommerce Extending Plugin With 100,000+ Installs Contains Authenticated Option Update Vulnerability Possibly Targeted by Hacker

Hacker Probably Targeting This Authenticated Option Update Vulnerability in Make’s WordPress Plugin

WooCommerce Payment Plugin Targeted by Hacker Contains Multiple Serious Vulnerabilities

Two WordPress Plugins With 60,000+ Installs Contain Authenticated Option Update Vulnerability

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in a WordPress Plugin with 40,000+ Installs

Our Plugin Security Checker Identified an Authenticated Option Update Vulnerability in a WordPress Plugin with 20,000+ Installs

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WP Leads Builder For Any CRM

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in Visual Email Designer for WooCommerce

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WordPress Plugin INDIGITALL

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in Content Mask