Login

Tag Archives: Brainstorm Force

24 Jan 2025

New Insecure WordPress Plugin Marketed With Fake Norton Secured and (Retired) McAfee SECURE Security Seals

Yesterday, we reported on a new plugin from a WordPress plugin developer Brainstorm Force with a long track record of poor security, unsurprisingly was also insecure. One thing that we noticed while looking into that is on the homepage for that new plugin, SureDash, was that midway down the page, there are a couple security seals, Norton Secured and McAfee SECURE, around the logo for PayPal:

[Read more]

23 Jan 2025

New Plugins From Awesome Motive and Brainstorm Force Continue Developers’ Failure to Implement Basic Security

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. A week ago, we looked at an example of a developer continuing to fail that we ran across. This week we ran across another test of this, as two developers we have released advisories for have new plugins available in the WordPress Plugin Directory.

Awesome Motive

For one of those developers, Awesome Motive, we just issued our advisory on December 11. Nine days later, they introduced the plugin WPConsent to the WordPress Plugin Directory. The issue that led to us finally issuing that advisory was a continued failure to address AJAX accessible functions lacking a capability check in the 6+ million install plugin WPForms, even after fixing a vulnerability caused by that. That is really basic security, so a major plugin developer shouldn’t be failing on that front. Yet it also is the case with WPConsent. [Read more]

14 Dec 2023

Brainstorm Force Removed Security Code and Reintroduced Vulnerability in 1+ Million Install WordPress Plugin

It’s commonly claimed that it helps to determine if a WordPress plugin is secure by looking at the install count and looking if the developer is well known. We have yet to see anyone making that claim present any evidence of a correlation between them. We have seen plenty of instances where major WordPress plugin developers have problems handling security with popular plugins. Take Brainstorm Force. They were recently covered by the WP Tavern, while claiming to have made a six-figure investment in a plugin. So they clearly have the money to handle security properly, but they don’t.

The latest incident with Brainstorm Force involves a vulnerability in a 1+ million install plugin that went unnoticed by them (and others for that matter) for nearly four years, which they fixed without realizing it, it would seem, and then they reintroduced it today. [Read more]