Login

Tag Archives: File Manager

9 May 2022

WordPress Plugin Developer Security Advisory: mndpsingh287

One of the little understood realities of security issues with WordPress plugins is that insecurity of WordPress plugins is not evenly spread across them. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that, while others either are unable or unwilling to properly secure their plugins. That includes situations where developers have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

12 Jul 2019

Not Really a WordPress Plugin Vulnerability, Week of July 12

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Path Traversal in Ad Inserter

One of the changelog entries for version 2.4.20 of Ad Inserter is “Fix for path traversal vulnerability – credit to Wilfried Bécard of Synacktiv (https://synacktiv.com)”. The relevant change looks to have replacing the following lines: [Read more]

10 Jul 2019

WebARX Claims to “Protect Websites from Plugin Vulnerabilities”, but Doesn’t Even Have a Good Grasp of Them

When we mentioned the web security provider WebARX provider back in March it was in the context of their service providing less protection against a WordPress plugin vulnerability than simply keeping plugins up to date, while they made it seem otherwise. That is a pretty big issue when their service is prominently promoted with the claim that it can “Protect websites from plugin vulnerabilities”, as can be seen on their homepage:

[Read more]

25 Feb 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Local File Inclusion (LFI) in File Manager

Our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities sometimes catches vulnerabilities in older versions of plugins if changes made related to those happen, as was the case with the plugin File Manager. Recently a tag for an older version of the plugin was removed and that got flagged as possibly containing a local file inclusion (LFI) vulnerability, further checking showed that it could be exploited through cross-site request forgery (CSRF).

[Read more]

22 Feb 2019

Closures of Very Popular WordPress Plugins, Week of February 22

While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.

This week two of those plugins were closed and one has been reopened. [Read more]

20 Feb 2019

Just Closed File Manager WordPress Plugin with 300,000+ Installs Contains Authenticated Remote Code Execution (RCE) Vulnerability

Due to our monitoring for closures of the 1,000 most popular WordPress plugins we were notified that the plugin File Manager (WP File Manager), which has 300,000+ installs, was closed today. That a security vulnerability could have led to it being closed wouldn’t be surprising. That is in part due to one of the other plugins from the same developer, Duplicate Page, which has 700,000+ installs, being publicly known to contain multiple unfixed vulnerabilities for over a year (which no one on the WordPress side of things seems to care about), two of which we disclosed in October of 2017 after the developer didn’t respond to our notification to them of the issues. That is also in part due to the continued poor security of this plugin as well, including that it used to be fundamentally insecure and even when that was fixed it wasn’t fixed properly.

Once we were notified of the closure we started checking over the plugin to see if it had any obvious security issues. One of the things we do is to run the plugin through our Plugin Security Checker tool, which allows anyone to check for the possibility of some instances of security issues in WordPress plugins. That flagged that a function, mk_check_filemanager_php_syntax_callback(), was accessible through WordPress’ AJAX functionality to those logged in as well those logged out. The function named hinted that there might be something that shouldn’t be accessible to those not logged in at the very least. [Read more]

18 Sep 2018

Vulnerability Details: CSRF/XSS Vulnerability in File Manager (WP File Manager)

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]

5 Sep 2018

Reflected Cross-Site Scripting (XSS) Vulnerability in File Manager

One of the problems we have found with the WordPress Support Forum is that there is  unproductive and inconsistent deletion of claims about the security of plugins. In an instance from just a couple of days ago a thread was deleted which mentioned an unfixed vulnerability in the plugin File Manager, deleting that doesn’t make much sense to us since it would be easy for someone with bad intentions to do same monitoring that we do and have spotted that thread before it was deleted, while deleting makes it harder for those with good intentions to find out about it. For us seeing it, not only lead to us noticing a related vulnerability in the same code, but it also led to a new check for our Plugin Security Checker to make it easier for similar issues to the one we noticed to be caught and fixed going forward, leading to better security for WordPress plugins, which unfortunately the moderators of the WordPress Support Forum don’t seem to be all that interested in based on the actions they take and their shutting down any conversion about whether those actions are productive.

The additional vulnerability we noticed is a reflected cross-site scripting (XSS) vulnerability, which could possibly allows an attacker to run arbitrary malicious JavaScript code. This type of vulnerability isn’t a big threat since it requires getting someone else to take an action, which we don’t see hackers really interested in when it comes to untargeted attacks, and web browsers other than Firefox include filtering to restrict the ability for this type of vulnerability to be exploited. [Read more]

14 Jun 2017

Vulnerability Details: Authenticated File Manager Access Vulnerability in File Manager

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]