Login

Tag Archives: Authenticated Option Update

9 Mar 2020

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability Being Introduced in to SP Project & Document Manager

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated option update vulnerability being introduced in to the plugin SP Project & Document Manager, which can also be exploited through cross-site request forgery (CSRF).

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. The tool flags other possible security issues in the plugin, so we wouldn’t recommend using the plugin unless the security has more broadly been reviewed and corrected. [Read more]

3 Sep 2019

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability Being Introduced in to WP human resource management

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated option update vulnerability being introduced in to the plugin WP human resource management.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

26 Aug 2019

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in HandL UTM Grabber

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated option update vulnerability in the plugin HandL UTM Grabber, which can also be exploited through cross-site request forgery (CSRF).

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

4 Jun 2019

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WPMktgEngine

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught just such a vulnerability, an authenticated option update vulnerability, in the plugin WPMktgEngine. This vulnerability likely would have been widely exploited by now if the plugin was more popular, considering how easy it would be to detect it.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

20 May 2019

What Security Review? Another Brand New WordPress Plugin Contains Widely Exploited Freemius Library Vulnerability

A little less than a month ago we mentioned how a brand new WordPress plugin contained an authenticated option update vulnerability due to usage of an outdated version of the third-party Freemius library. That vulnerability has been widely exploited. Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. So either those reviews are not happening or they are failing to catch things that should have been caught. We spotted that through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and that has again identified the same thing happening, with the new plugin this time being WP Dev Powers: ACF Color Coded Field Types.

We have long offered to provide the team running the Plugin Directory help to have a capability similar to that monitoring. Running the plugin through our Plugin Security Checker would have warned about that as well. We have long offered the team running the Plugin Directory free access to the advanced mode of that tool for free. We haven’t heard any interest from that team to either of those offers. And the results of what they are doing instead speaks for itself. [Read more]

25 Apr 2019

What Security Review? Brand New WordPress Plugin Contains Widely Exploited Freemius Library Vulnerability

Brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory. Either those reviews are not happening or they are failing to catch things that should have been caught. Take the plugin WP Buddha Free Adwords Plugin (Free Adwords Campaigner), which we came across due our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities flagging that it contained an authenticated option update vulnerability that was in older version of the Freemius library, which has been widely exploited.

Yesterday when we went to double check on that we found that the plugin didn’t actually work when installed, since the developer has placed most of the files in the wrong place in the Subversion repository for it. But when we pulled a copy of the files from the Subversion repository and moved them to the correct location we confirmed that the vulnerability is exploitable. That issue has now been fixed and the vulnerability remains in the plugin. [Read more]

26 Feb 2019

Hackers Are Probably Already Exploiting This Authenticated Option Update Vulnerability Just Fixed in Freemius

On Sunday we had probing on our website for usage of the plugin WP Security Audit Log, which has 80,000+ installs according to wordpress.org, from what looked to be hackers. Considering that plugin is known to vulnerable we didn’t further check in to what was going on, which was a mistake, but one that other monitoring we do allowed us to rectify today.

As part of our daily monitoring of subversion log messages from the WordPress Plugin Directory for mentions of security fixes, we found that 10 plugins had mentions of security fixes yesterday, which is way out of line with what we normally see and hinted that there might be a common issue between the plugins. As we started trying to figure out what was going on, we noticed that many of them were updating a third-party library Freemius, which is described as  a”[m]onetization, analytics, and marketing automation platform”. In looking in to that we noticed that Freemius was citing WP Security Audit Log as using their library. With one of those plugins, looking at the changes made, we saw the possibility that a major vulnerability had been fixed. Further checking confirmed that an authenticated option update vulnerability was fixed, which would allow anyone with access to a WordPress account to take over a website and is a type of vulnerability hackers have tried to exploit widely in the past so there is likely to be plenty of attempts due to this. [Read more]

18 Dec 2018

Our Proactive Monitoring Caught a CSRF/Option Update Vulnerability in a WordPress Plugin That Could Disable Websites

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a vulnerability a plugin with 10,000 installs (according to wordpress.org), Ultimate CSV Importer, that could allow an attacker to cause someone logged in as Administrator to fully disable the website just by getting them to access a page the attacker control’s (say with a link in a comment). With non-default settings the vulnerability could be exploited users with the Author or Editor role, or by getting them to access a page controlled by an attacker.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community. [Read more]

13 Dec 2018

Our Proactive Monitor Caught an Authenticated Option Update Vulnerability in Essential Content Types That Could Disable Websites

For not the first time this week our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins has caught an authenticated option update vulnerability in a plugin, this time in the plugin Essential Content Types. Like the one we mentioned yesterday this one could be used to disable a website, either by someone logged in to WordPress or if an attacker can get someone logged in to WordPress to access a page they control.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community. [Read more]

12 Dec 2018

Our Proactive Monitor Caught Another Authenticated Option Update Vulnerability in a WordPress Plugin That Could Disable Websites

On Monday while disclosing another option update vulnerability we noted that in the wake of one of those being widely exploited recently we had focused on finding more of those vulnerabilities, while it appears no one else in the WordPress security has done that (maybe because they can get away with lying about failing to protect against the widely exploited one). And no sooner than the next day did we find yet another vulnerability. We spotted it during our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, though the vulnerable code was not flagged by the software that we use to identify possible issues for us to review, instead that had flagged another possible instance of that same type of vulnerability in the same code and when we went to manually review the code we found the issue.

While the vulnerability doesn’t appear to allow for takeover of a website, it would allow for anyone logged in to WordPress to disable the website with a single request. Since the plugin in question, Dokan, is only usable with the WooCommerce eCommerce plugin, which is often set to create WordPress accounts for those making orders, that means that many or most of the 10,000+ active installations of the plugins (according to wordpress.org) would be impacted. It could also be exploited by getting someone logged in to WordPress to access a page controlled by an attacker. [Read more]