Login

Tag Archives: Pretty Links

Plugin Security Scorecard Grade for Pretty Links

Checked on August 24, 2024
B

See issues causing the plugin to get less than A+ grade

12 Jun 2024

Privilege Escalation Vulnerability in Pretty Links

One of the changelog entries for the latest version of the WordPress plugin Pretty Links is “Security hardening.” Looking at the changes made, we found that a nonce check to prevent cross-site request forgery (CSRF) was added in the new version. Looking closer, we found that another security check was still missing and the vulnerability that had existed didn’t just involve CSRF. We have notified the developer of the missing security check, which is also still missing in other similar code, and offer to help them address it.

[Read more]

2 May 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in Pretty Links

The changelog for the latest version of Pretty Links is “Fixed some security issues”. Looking at the changes made we found that protection against cross-site request forgery (CSRF) was added for various actions that are restricted to users the “manage_options” capability (so Administrators). Those included the actions to create, update, and delete links handled by the plugin. We found that when creating a link you can also cause cross-site scripting (XSS) to happen, which isn’t normally a vulnerability for users with the “manage_options” capability, though should probably be fixed as well.

[Read more]

2 Jan 2018

What Happened With WordPress Plugin Vulnerabilities in December 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during December (and what you have been missing out on if you haven’t signed up yet): [Read more]

22 Dec 2017

Is This What a Hacker Might Be Interested in the Pretty Links Plugin For?

Last week we had requests from the IP address 185.100.222.127 to our website that looked like they might be a hacker probing for usage of the plugins SendinBlue Subscribe Form And WP SMTP and Table Maker. After seeing that, we checked over the plugins to try find if there was a vulnerability in them that a hacker would be interested in.

With SendinBlue we found a SQL injection vulnerability that might be able to be used to cause PHP object injection to occur. PHP object injection is a type of issue that is highly likely to be exploited if it exists. That vulnerability has yet to be fixed. [Read more]