Login

Tag Archives: Count per Day

4 Nov 2019

Closures of Very Popular WordPress Plugins, Week of November 1

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

During the week of November 1, four of those plugins were closed. [Read more]

8 Jun 2017

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Count per Day

Just a couple of days after we discussed a situation where a popular plugin had a vulnerability in it for years due to a security fix not being fully applied, we ran into another example of a security fix only being partially applied in a popular plugin. This time it involves the plugin Count per Day, which has 100,000+ active install according to wordpress.org.

As part of monitoring of changes to plugins to detect vulnerabilities being fixed and then add them to our data set, we saw that version 3.5.7 of the plugin appeared to have a security fix, the changelog entry for that version is “Bugfix: security fixes in notes, options”. In looking at the changes made in that version we could see that some user input values are now being sanitized using strip_tags(). In checking over things we found that that related to the plugin’s settings page. [Read more]