Tag Archives: Newsletter

10 Jun 2022

Not Really a WordPress Plugin Vulnerability, Week of June 10

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting in Newsletter

Automattic’s WPScan claimed the plugin Newsletter contained reflected cross-site scripting (XSS) vulnerability, where the “vulnerability” would require using a web browser that hasn’t been received security updates for five years: [Read more]

Plugin Vulnerabilities Posted in Not Really a WordPress Plugin Vulnerability Automattic, CVE-2022-1756, Newsletter, Not Really a WordPress Plugin Vulnerability, WPScan Leave a comment

10 Mar 2020

Vulnerability Details: CSV Injection in Newsletter

One of the changelog entries for the latest version of Newsletter is “Security fix on CSV export”, based on other recently disclosed vulnerabilities it seemed likely this would refer to fixing a CSV injection vulnerability and quick testing confirmed that. The issue was fixed with escaping being added.

…

[Read more]

Plugin Vulnerabilities Posted in Vulnerability Insights CSV Injection, Newsletter, Vulnerability Details Leave a comment

2 Mar 2018

What Happened With WordPress Plugin Vulnerabilities in February 2018

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during February (and what you have been missing out on if you haven’t signed up yet): [Read more]

Plugin Vulnerabilities Posted in What's New With Plugin Vulnerabilities Accelerated Mobile Pages, Autoship Cloud, Bookly Lite, Category Order and Taxonomy Terms Order, cformsII, Church Admin, Companion Auto Update, Convert Docx2post, Custom Permalinks, Flexible Captcha, flickrRSS, Instagram Feed, Itinerary, MailChimp for WordPress, Newsletter, PWAMP, SG Optimizer, Simple Instagram Feed, Spider FAQ, Swift Help Desk Support Software Ticketing, user files, Welcart e-Commerce, What's New With Plugin Vulnerabilities, Woocommerce CSV Import, WordPress Backup to Dropbox, WP Fastest Cache, WP Pipes, WP Retina 2x, WP Support Plus Responsive Ticket System Leave a comment

14 Oct 2016

False Vulnerability Report: Cross Site Request Forgery / Cross Site Scripting in Newsletter 4.6.0

_{As part of our cataloging the vulnerabilities in WordPress plugins for our service we come across false reports of vulnerabilities from time to time. So that others don’t spend their time looking over these as well, we post our findings on them.}

Yesterday a report of a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in version 4.6.0 of the Newsletter plugin was released. The changelog noted a security fix in the version it was supposed to have been fixed in, but the wording seemed to downplay the claimed issue, as it said “Fixed a security issue on admin side only exploitable by logged in admins”. A cross-site request forgery vulnerability involves getting someone else to access a URL that causes them to send a request to their website, so if the vulnerability had existed, to say that it was only “exploitable by logged in admins” would have been true, but misleading, since it would not have required them to be trying to exploit the vulnerability. But as we quickly found, the misleading part was describing it as a security issue. [Read more]

Plugin Vulnerabilities Posted in False Vulnerability Report False Vulnerability Report, Newsletter Leave a comment