Login

Tag Archives: PHP Object Injection

23 Aug 2024

Unaddressed WordPress Security Issue Behind Recent “Critical” Vulnerability in 100,000+ Install Plugin

Earlier this week, the WordPress security provider Wordfence released a post about a claimed “critical” vulnerability found in a WordPress plugin with 100,000+ installs. In that post they made this claim:

Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. [Read more]

21 Aug 2023

Latest Version of 100,000+ Install WordPress Plugin Essential Blocks Adds PHP Object Injection Vulnerability

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a PHP object injection vulnerability being introduced in to the plugin Essential Blocks, which has 100,000+ installs. That is yet another vulnerability in a plugin from WPDeveloper.

We now are also running all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. [Read more]

30 Mar 2022

Our Proactive Monitoring Caught an Authenticated PHP Object Injection Vulnerability in a WordPress Plugin With 70,000+ Installs

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of those vulnerabilities, an authenticated PHP object injection vulnerability in the plugin Blog2Social, which has 70,000+ active installs according to wordpress.org.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

31 Jan 2022

Unfixed Vulnerability in Zendesk Library Leads to PHP Object Injection Vulnerability in WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, a PHP object injection vulnerability being introduced in to the plugin ELEX HelpDesk & Customer Support Ticket System. While looking into the source of that, we found that the underlying source of the vulnerability was a library from Zendesk, a multi-billion dollar company, and that vulnerability was publicly reported to them 10 months ago, but hasn’t been resolved.

Also, notably, the file containing the vulnerability is a sample file, which is something that shouldn’t be shipping in production software, but we often find that those are not removed from libraries being included in WordPress plugins. That isn’t helped by libraries not providing a paired down version intended for production use. [Read more]

24 Jan 2022

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a one of those vulnerabilities, a PHP object injection vulnerability being introduced in to the plugin ICS Calendar.

We now are also running all the plugins used by customers through that on a weekly basis to provide additional protection for our customers. [Read more]

6 Jan 2022

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Saksh Escrow System

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught one of those vulnerabilities, a PHP object injection vulnerability, in the plugin Saksh Escrow System.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

28 Oct 2021

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in WC Designer

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, a PHP object injection vulnerability, in the plugin WC Designer.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

25 Oct 2021

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability in Event Calendar

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, a PHP object injection vulnerability, in the plugin Event Calendar.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

25 Oct 2021

Vulnerability Details: PHP Object Injection in Tagembed Widget

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, a PHP object injection vulnerability, being removed from the plugin Tagembed Widget.

[Read more]

23 Aug 2021

Our Proactive Monitoring Caught a PHP Object Injection Vulnerability Being Introduced in to a WordPress Plugin

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught ones of those vulnerabilities, a PHP object injection vulnerability, being introduced in to the plugin Contact List.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]