LWS Optimize

Authenticated Settings Change Vulnerability in LWS Optimize

Last week, we ran across a serious vulnerability in a new WordPress plugin, LWS Optimize. The plugin was subsequently closed on the WordPress plugin directory and then re-opened without the vulnerability being properly fixed. Not only that, but it was still missed that the plugin has an easy to spot vulnerability despite the claim that there is a manual security review before plugins are even allowed in that directory.

If you log in to WordPress with the plugin active, you can access the plugin’s settings page and change the settings even if you are a user with the Subscriber role. Only users with the manage_options capability, which normally only Administrators have, should have access to that. Instead, the plugin makes that page accessible to anyone with the read capability: [Read more]

Authenticated Option Update Vulnerability in LWS Optimize

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, an authenticated option update vulnerability in a brand new plugin, LWS Optimize.

We now are also running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: LWS Optimize

Authenticated Settings Change Vulnerability in LWS Optimize

Authenticated Option Update Vulnerability in LWS Optimize