Login

Tag Archives: Local File Inclusion (LFI)

8 Apr 2025

WordPress Security Providers Failing to Warn About Vulnerability in Plugin Hacker Likely Targetting

Across various data we monitor we have been seeing what looks to be a hacker or hackers trying to find websites using the plugin Kubio Pro, by requesting this url: /wp-content/plugins/kubio-pro/readme.txt. At first we were puzzled as to what might explain that. There isn’t a plugin on the WordPress Plugin Directory with the slug kubio-pro, so that would mean either it likely was a plugin made available somewhere else or a backdoor disguised as a plugin. We looked for any information on the web about a vulnerability in a plugin with that slug or the name Kubio Pro and came up with nothing. The same is true for competing data sources for information on vulnerabilities in WordPress plugins.

WPScan, owned by Automattic, serves a not found page for the URL that would contain data on vulnerabilities for a plugin with that slug: [Read more]

30 Jul 2024

Hacker Targeting Vulnerability That Was in Shield Security WordPress Plugin

Last week, our own WordPress firewall plugin blocked an attempt to exploit a vulnerability in another security plugin, Shield Security. On the one hand, that should be shocking. A security plugin with a security vulnerability serious enough that a hacker would try to exploit it. On the other hand, the developers of most WordPress security plugins have little concern with security. The developer of this plugin, for example, didn’t care enough to make sure it’s firewall actually works at all. If the firewall worked well, the issue couldn’t even be exploited.

Here is what was logged when the hacking attempt was blocked: [Read more]

13 Nov 2023

Exploited Vulnerability in WordPress Plugin Shows Importance of Robust Firewall Protection

Over the weekend, we had an attacker try to exploit a local file inclusion (LFI) vulnerability that was recently fixed in the WordPress plugin Blog Designer Pack on our website. We are not running the plugin, so we were not risk. But our own firewall plugin still blocked the exploit attempts through its protection against directory traversal:

[Read more]

18 Jun 2019

Our Proactive Monitoring Caught a Local File Inclusion (LFI) Vulnerability Being Added in to Sina Extension for Elementor

One of the ways we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a local file inclusion (LFI) vulnerability being added in to the plugin Sina Extension for Elementor.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

10 Jun 2019

Our Proactive Monitoring Caught a Local File Inclusion (LFI) Vulnerability in Revamp CRM for WooCommerce

One of the things we do during security reviews of WordPress plugins is to check if .php files that are not intended to be directly accessed are protected against direct access of them. The lack of that usually makes no difference, but it is an easy way to avoid or limit vulnerabilities, like the local file inclusion (LFI) vulnerability our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Revamp CRM for WooCommerce.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

6 Dec 2018

Our Improved Proactive Monitoring Has Now Caught a Local File Inclusion (LFI) Vulnerability As Well

As we have noted already this week, we have just made a major improvement to our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins, which built on code we had developed for our Plugin Security Checker, an automated tool you can use to check if plugins you use contain possible security issues. Again it has identified a fairly serious vulnerability, this time a local file inclusion (LFI) vulnerability in the plugin WP Payeezy Pay. This vulnerability has gone unnoticed for over two years.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it would already have notified you of this possible issue if you had check the plugin. [Read more]

1 Oct 2018

It’s No Wonder Security Is In Such Bad Shape When the Security Community Doesn’t Understand the Basics of Vulnerability Types

One of the things that you get when using our data on vulnerabilities in WordPress plugins either through our long time service or our new newsletters instead of trying to do things on your own or using lower quality data sources, is that we actually check over the reports and provide an accurate information on them. For a fair amount of reports the original discloser has provided inaccurate information about the vulnerability (or there isn’t even a vulnerability).

One area we see a lot of confusion, whether it be with members of the security community or hackers is with arbitrary file viewing and local file inclusion (LFI) vulnerabilities. A recent example where things got quite mixed up and where other data sources would have lead you astray involved two vulnerabilities disclosed by Manuel Garcia Cardenas a couple of weeks ago. [Read more]

22 Nov 2017

Our WordPress Plugin Security Checker Identified a Fairly Serious Vulnerability in a Plugin by MailChimp

Recently we introduced a tool to do limited automated security checks of WordPress plugins in the Plugin Directory (and more recently expanded it to check plugins not in the directory). As part of improving that we have been logging any issues identified by the tool in plugins in the Plugin Directory (we don’t log the results for other plugins) and checking some of those to see how well the tool is in identifying real issues.

In one instance, which we will be describing in more detail once the developer has had a chance to fix the vulnerability, we found that a possible issue identified by the tool turned out to not be an issue, but it did indicate a general poor handling of security within the plugin and we then found the plugin has a fairly serious vulnerability. In another instance the tool identified a pretty serious issue in a plugin. [Read more]

30 Oct 2017

Vulnerability Details: Local File Inclusion (LFI) Vulnerability in PluginOps Page Builder

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

[Read more]

26 Apr 2017

Vulnerability Details: Local File Inclusion (LFI) Vulnerability in Booking Calendar

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in the plugin.

[Read more]