Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Settings Change

14 Feb 2025

Hacker Probing For WordPress Plugin With Many Vulnerabilities That Wordfence and Other Providers Incorrectly Claimed Were Fixed Last Year

Today we saw what appeared to be a hacker probing for usage of the WordPress plugin WP Compress on our websites. The probing was done by requesting a file from the plugin if the plugin had existed on our website, /wp-content/plugins/wp-compress-image-optimizer/readme.txt. We don’t use that plugin on that website or any of them. So what might explain a hacker’s interest in the plugin? Last year the WordPress security provider Wordfence claimed that a vulnerability had been fixed in the plugin, of a type that sounds like it could explain a hacker’s interest. Here is part of their description:

This makes it possible for authenticated attackers, with subscriber-level permissions and above, to edit plugin settings, including storing cross-site scripting, in multisite environments. [Read more]

22 Jan 2024

WordPress Plugin Developers Are Still Creating Vulnerabilities by Improperly Using the permission_callback for WordPress Rest API Endpoints

Back in November, the Automattic owned WPScan claimed there had been a vulnerability in a plugin that extends the very popular ecommerce plugin WooCommerce, which is also owned by Automattic. WPScan only got around to releasing any information about the claimed vulnerability this month. When we went to check on that, we found that the relevant code is still vulnerable, though less vulnerable than it was before. If the developer of the plugin was properly implementing the built-in security when using WordPress’ REST API they wouldn’t still have the vulnerability.

We are now four years in with the REST API being available in WordPress, but plugin developers are still not implementing a basic security element it introduced correctly. So it seems worth going through what is going wrong and how it can be fairly easily be fixed. [Read more]

13 Jun 2023

Our Proactive Monitoring Caught an Authenticated Option Update Vulnerability in WP Compress

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability in the plugin WP Compress. The vulnerability is in part caused by wider insecurity in the plugin and there are additional vulnerabilities in the plugin, so we would recommend avoiding the plugin unless the security is overhauled.

We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]

19 May 2023

Is This Authenticated Settings Change Vulnerability in GoDaddy’s CoBlocks What a Hacker Might Be Interested In?

Yesterday, on one of our websites and in data from third-party websites, we saw what looked to be a hacker probing for usage of GoDaddy’s WordPress plugin CoBlocks by requesting the readme.txt file for it:

/wp-content/plugins/coblocks/readme.txt [Read more]

24 Apr 2023

CSRF/Settings Change Vulnerability in LIQUID SPEECH BALLOON

JVN recently said that a cross-site request forgery (CSRF) vulnerability had been fixed in the WordPress plugin LIQUID SPEECH BALLOON. They provided no details on that, other than that it was fixed in version 1.2. The changelog for that provides more information, as it says that it “Fixed security issue related to input in setting forms.”

[Read more]

24 Mar 2023

Settings Change Vulnerability in LiteSpeed Cache

This week Patchstack claimed that a cross-site request forgery (CSRF) vulnerability had been fixed in the WordPress plugin LiteSpeed Cache in December. The changelog for the version it was claimed to have been fixed has a somewhat cryptic mention of fixing a security issue that sounds somewhat different:

[Read more]

13 Feb 2023

WordPress Plugin Security Review: ShortPixel Image Optimizer

For our 41st security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin ShortPixel Image Optimizer.

If you are not yet a customer of the service, once you sign up for the service as a paying customer, you can start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our service. [Read more]