Login

Tag Archives: Authenticated Settings Change

14 Feb 2025

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Compress on our websites. The probing was done by requesting a file from the plugin if the plugin had existed on our website, /wp-content/plugins/wp-compress-image-optimizer/readme.txt. We don’t use that plugin on that website or any of them. So what might explain a hacker’s interest in the plugin? Last year the WordPress security provider Wordfence claimed that a vulnerability had been fixed in the plugin, of a type that sounds like it could explain a hacker’s interest. Here is part of their description:

This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. [Read more]

24 Jul 2023

AI Helps to Detect Expansion of Vulnerability in 1+ Million Install WordPress Plugin

Earlier this year, we noted how a machine learning (artificial intelligence (AI)) based system we have, had helped to detect a vulnerability being introduced in to a 1+ million install WordPress plugin. That came after the system had already help to catch undisclosed attempts to fix vulnerabilities in WordPress plugins, which have failed to fix the vulnerabilities, including in another 1+ million install plugin. In the latest detection of a vulnerability in a 1+ million install plugin by the system, the vulnerability already existed, but the system correctly flagged it as the change being made expanded the impact of the vulnerability. That vulnerability being an authenticated setting change vulnerability in the plugin WP Fastest Cache.

We only run changes being made to plugins being used by our customers and 1+ million install plugins through that system, so if you are not using our service, plugins you use are likely missing out on that security measure. [Read more]

13 Jun 2023

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WP Compress

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability in the plugin WP Compress. The vulnerability is in part caused by wider insecurity in the plugin and there are additional vulnerabilities in the plugin, so we would recommend avoiding the plugin unless the security is overhauled.

We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]

19 May 2023

Is This Authenticated Settings Change Vulnerability in GoDaddy’s CoBlocks What a Hacker Might Be Interested In?

Yesterday, on one of our websites and in data from third-party websites, we saw what looked to be a hacker probing for usage of GoDaddy’s WordPress plugin CoBlocks by requesting the readme.txt file for it:

/wp-content/plugins/coblocks/readme.txt [Read more]

9 Dec 2022

Authenticated Settings Change Vulnerability in LWS Optimize

Last week, we ran across a serious vulnerability in a new WordPress plugin, LWS Optimize. The plugin was subsequently closed on the WordPress plugin directory and then re-opened without the vulnerability being properly fixed. Not only that, but it was still missed that the plugin has an easy to spot vulnerability despite the claim that there is a manual security review before plugins are even allowed in that directory.

If you log in to WordPress with the plugin active, you can access the plugin’s settings page and change the settings even if you are a user with the Subscriber role. Only users with the manage_options capability, which normally only Administrators have, should have access to that. Instead, the plugin makes that page accessible to anyone with the read capability: [Read more]

18 Nov 2022

Patchstack Provided Inaccurate Information on Vulnerability Claimed to Be Exploited in WordPress Plugin

Recently it was claimed that the WordPress plugin RD Station had led to a website’s database being replaced:

when are you going to fix the problem, a couple of weeks ago a site was attacked by this vulnerability, the entire database was replaced, we contacted you and this was the response [Read more]