Two days ago, WPScan released a vague report of a vulnerability in the WordPress plugin Advanced Page Visit Counter, credited to Krzysztof Zając, described this way:
…
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a one of those vulnerabilities, a persistent cross-site scripting (XSS) vulnerability in the plugin Stylish Price List.
We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]
Recently there were multiple claims that a persistent cross-site scripting (XSS) vulnerability was fixed in the plugin Contact Form CFDB7, but there was a lack of details provided needed to confirm that. Also, the version that was supposed to resolve that doesn’t make the change you would expect to resolve it.
…
The WordPress plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory on Monday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities that we should be warning users of the plugin that also use our service, we found just such a vulnerability in the plugin. The plugin has a settings change vulnerability that leads to a persistent cross-site scripting (XSS) vulnerability, which would allow an attacker to cause JavaScript code to be run on the website. The latter vulnerability is a type that hackers are known to target.
We tested and confirmed that our upcoming firewall plugin for WordPress protects against the exploitation of the persistent cross-site scripting (XSS) vulnerability. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught one of the most serious vulnerabilities, a persistent cross-site scripting (XSS) vulnerability in the plugin WIP Custom Login.
The automated portion of that monitoring flagged the following line of code because of the possibility that it could permit PHP object injection to occur: [Read more]
Recently one of our competitors in the WordPress plugin vulnerability space, WPScan, released a report claiming there was an authenticated stored cross-site scripting (XSS) vulnerability in the plugin Hana Flv Player. At first glance it appears like a lot of false reports they include in their data, but further checking showed that while the claimed vulnerability didn’t exist, there was really an even more serious vulnerability in the relevant code. As of our posting this, the plugin is still available in WordPress’ plugin directory despite that.
Their report of an “authenticated stored cross-site scripting (XSS) vulnerability” starts with this past tense claim: [Read more]
Two days ago we discussed that after seeing what look to be a hacker probing for the WordPress plugin WooCommerce Frontend Manager (WCFM), we found that the plugin contained, among other security issues, an authenticated persistent cross-site scripting (XSS) vulnerability. That is more a of concern than it usually is since the plugin works with WooCommerce, which by default allows untrusted to create WordPress accounts, so hackers would have an easier time exploiting that than they would for the average plugin. In looking at the developer’s other plugins we found that one of them, WooCommerce Multivendor Membership, is even more insecure, as the same type of vulnerability can be exploited without having to even be logged in to WordPress.
(Despite WooCommerce Frontend Manager (WCFM) likely being targeted by a hacker and containing an unfixed vulnerability they would exploit, WordPress is still distributing the plugin two days later.) [Read more]
The plugin SEO Redirection was closed on the WordPress Plugin Directory yesterday. That is one of the 1,000 most popular plugins with 30,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should warn users of the plugin that also use our service, we found it contained multiple security issues, what looked to be the most serious issue that we found in just a quick check is a persistent cross-site scripting (XSS) vulnerability. That is something that hackers might be interested in exploiting.
We would recommend not using the plugin until it has had its security thoroughly reviewed, and the issues identified, fixed, due to how insecure we found it to be. [Read more]
The changelog entry for the latest version of the WordPress plugin Quiz And Survey Master is:
Bug: Fixed recently discovered security issues. [Read more]
As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. It looks like that has started up again, with the plugin PushEngage being one of the new plugins. There was probing on our website today for that plugin by requesting these files:
/wp-content/plugins/astra-sites/inc/assets/js/admin-page.js
/wp-content/plugins/astra-sites/inc/assets/css/admin.css
/wp-content/plugins/astra-sites/readme.txt [Read more]