Today we saw a hacker probing for usage of the WordPress plugin NextMove Lite on our websites with the following request:
/wp-content/plugins/woo-thank-you-page-nextmove-lite/assets/css/xlwcty-public-rest.css [Read more]
One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, a vulnerability in the plugin Disable Fullscreen Mode that allows those logged in to WordPress to install arbitrary plugins. The plugin doesn’t have to come from the WordPress plugin directory, so an attacker can install an entirely malicious plugin.
We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]
Something that should get a lot more attention and raise a lot more questions is why the security industry’s own software and hardware is itself so insecure. That insecurity is a frequent issue with WordPress security plugins. The latest instance of that involves two WordPress security plugins AntiHacker and StopBadBots, which contained a vulnerability that allowed anyone logged in to WordPress to install any plugins in the WordPress Plugin Directory.
Those plugins come from the same developer and three additional plugins were affected: CarDealer, WP Memory, and wptools. Together, the plugins have at least 22,000+ installs. [Read more]