Recently it was claimed that the WordPress plugin RD Station had led to a website’s database being replaced:
when are you going to fix the problem, a couple of weeks ago a site was attacked by this vulnerability, the entire database was replaced, we contacted you and this was the response [Read more]
Last week the WordPress plugin WP Page Widget was closed on the WordPress Plugin Directory. As that plugin is one of the 1,000 most popular plugins, we were alerted to its closure. No reason has been given for the closure. But there is a security issue in the latest version.
About a month ago a competitor of ours, Patchstack, claimed a cross-site request forgery (CSRF) vulnerability had been fixed in the latest version of the plugin. They didn’t provide basic information needed to confirm the claim, as the “details” given are: [Read more]
In a separate post, we discussed vague claims of a cross-site request forgery (CSRF) vulnerability being in the latest version of the plugin Kraken.io Image Optimizer. What we quickly found while reviewing the plugin was that there is at least a CSRF vulnerability that allows changing the plugin’s settings in the current version of the plugin.
…
A recent review of the WordPress plugin Pop-up suggested the plugin is insecure:
I tested this plugin, its says its free, i tried to inject code to my site… then i understood if they want they can inject any malicious code to your website by using this plugin… you are clicking launch code on external website, and this plugin will upload a a code to your website based on email address registered on both site. so if you are using sensitive website dont even try this plugin [Read more]
Two weeks ago a new version of the WordPress plugin underConstruction was released, with this as one of its changelog entries:
…
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Late last year we expanded on that for our customers, by running plugins used by our customers, even when code in them is not updated, through the same system on a weekly basis. We just made a significant improvement to the automated portion of that monitoring. Through that, we caught a less serious variant of one of those vulnerabilities, a cross-site request forgery (CSRF)/PHP object injection vulnerability in Ninja Forms. Which, besides being used by at least one of our customers, is used on 1+ million websites according to wordpress.org’s stats.
That Ninja Forms has yet another vulnerability isn’t surprising considering the developer’s security track record, which includes disclosing a fairly serious unfixed vulnerability last year (doing that alongside Wordfence) and still not having addressed an incorrect security fix, which we notified them about in January. [Read more]
Recently, the WordPress security plugin Change wp-admin login, which has 70,000+ active installs according to WordPress, was updated to fix security vulnerabilities involving the changing of the plugin’s settings. That a security plugin was insecure seems concerning. More concerning was that the developer made two failed attempts to fix the vulnerability before finally addressing it. While looking into the situation, we found yet another concern; the developer isn’t telling honest.
Two weeks ago, a review of the plugin was made with this claim: [Read more]
As part of our monitoring the WordPress Support Forum for indications of vulnerabilities in plugins that we should be warning our customers about, we came across this review of the plugin Melhor Envio:
O plugin da melhor envio está com o trojan denominado JS:Trojan.Cryxos faz quase um mês, e mesmo eu entrando em contato com o suporte e tendo provado isso por diversas vezes, o plugin continua disponível para download com o Trojan. Meu site foi retirado do ar cinco vezes pela wordpress.com e chegou a ter 645 arquivos contaminados por esse malware. [Read more]
Late last week, third-party data we monitor showed what looked to be a hacker probing for usage of a WordPress plugin that handles payment processing for the WooCommerce plugin, ЮKassa для WooCommerce, through requests for this file:
/wp-content/plugins/yookassa/assets/js/yookassa-admin.js [Read more]
Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:
After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]