Yesterday, we had what would appear to be a hacker probing for usage of the WordPress plugin Checkout Mestres WP on our website by requesting the readme.txt file for it like this:
/wp-content/plugins/checkout-mestres-wp/readme.txt [Read more]
A recent topic on the support forum for the WordPress plugin Tabs – Responsive Tabs with WooCommerce Product Tab Extension makes it sound like there was an option update vulnerability in the plugin:
…
One of the changelog entries for the latest version of the WordPress plugin PublishPress Capabilities is:
…
WPScan claims to have discovered an option update vulnerability in the WordPress plugin Event Manager for WooCommerce that was in version less than version 3.5.3:
…
Last Thurdsday we detailed an option update vulnerability in the plugin ND Shortcodes. Three more of their plugins have now been updated to fix the same vulnerability, though in each case the situation is worse since the vulnerability is exploitable even if one of the developer’s themes is not also in use. The additional plugins are fixed are:
…
The plugin ND Shortcodes (ND Shortcodes For Visual Composer) was closed on the Plugin Directory yesterday. Today a new version was submitted with the changelog “Improved nd_options_import_settings_php_function function for security reasons”. Looking at the code we found the plugin previously contained a vulnerability that allowed updating arbitrary WordPress options to arbitrary values, though it looks like it would only be exploitable in limited circumstances.
…
The changelog for the latest version of Easy WP SMTP is “Fixed potential vulnerability in import\export settings.”, which turns out to relate to multiple vulnerabilities. The most serious of those, an option update vulnerability, was already being exploited before it was fixed according to the discoverer NinTechNet.
…
On Friday we detailed a privilege escalation vulnerability in the plugin Woocommerce User Email Verification. While that is a very bad security vulnerability in terms of what could be done with it, it at least could be seen as mistake as opposed to a failure to handle security in a fundamental way. That can’t be said about an option update vulnerability our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities spotted in the plugin at the same time.
The plugin registers the function save_tab_settings() to run during init, so when WordPress is loading: [Read more]
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, unfortunately so far that hasn’t happened. Instead they have continued apace doing downright strange stuff, like deleting people just saying thank you, and inappropriate stuff, like continuing to violate their own guidelines to promote certain security companies to clean up hacked websites (and lying in the process since the companies they promote as “reputable” are any but, as one of them lies all the time and the other doesn’t even attempt to properly clean up hacked websites). Now comes the time when their refusal to clean up their act is likely to have a huge consequence.
Last week an option update vulnerability in the plugin WP GDPR Compliance was widely exploited after it was fixed. After that happened we went to do some checks over the 1,000 most popular WordPress plugins related to that, while looking into improving our automated tool for detecting possible security issues in plugin, the Plugin Security Checker, and we found that the plugin Kiwi Social Share also has the same type of vulnerability. [Read more]
Yesterday we discussed a PHP object injection vulnerability that had been fixed in the plugin WP GDPR Compliance in relation to a topic on the WordPress Support Forum related to a plugin being installed on websites. Today there have been several reports claiming that websites were hacked through WP GDPR Compliance to create new Administrator accounts, which seems likely to be caused by code related to the vulnerable code we discussed with the PHP object injection vulnerability. That issue is described, though not detailed by Adrian Mörchen in an entry on the WPScan Vulnerability Database.
…