Login

Tag Archives: Reflected Cross-Site Scripting (XSS)

26 Mar 2025

ShortPixel Not Honest About Security Fix in Enable Media Replace

Yesterday, a new version of the WordPress plugin Enable Media Replace was released. The changelog for the new version was “Fix: A potential “Reflected Cross-Site Scripting” vulnerability has been patched, responsibly disclosed by the PatchStack team.” The developers claim that a “potential” vulnerability had been fixed turned out to not be true. As there was an actual vulnerability. We also found the code in the plugin still isn’t properly secured and we have notified the developer of that.

[Read more]

10 Jun 2024

Reflected Cross-Site Scripting (XSS) Vulnerability in Dynamic QR Code Generator

The WordPress plugin Dynamic QR Code Generator was closed on the WordPress plugin directory last year with the only explanation given that it had a “Security Issue.” No further details of the issue were given. Prior to that last year, a security provider had vaguely claimed it contained a reflected cross-site scripting (XSS) vulnerability, but again with no further details. Looking at the code, we found there is a reflected XSS vulnerability in the most recent version of the plugin.

[Read more]

14 Nov 2023

Using Our Plugin Security Checker to Find a Reflected XSS Vulnerability Patchstack Claimed Was in a Plugin

We have been seeing a reoccurring issue recently where WordPress plugin developers are having users of the plugins being asked if they are going to fix vulnerabilities that a WordPress security,Patchstack, has claimed are in their plugins. The developers are responding, accurately, that Patchstack hasn’t provided any details on what the issue is supposed to be. That obviously makes it difficult to address things if there really is a vulnerability, or to otherwise refute the claim. A recent instance of that involved a claim of a reflected cross-site (XSS) in the plugin WP Bannerize Pro.

Here are the “details” Patchstack provided: [Read more]

24 Aug 2023

Expanded Security Checking for Plugins Used by Our Customers Catches New Vulnerability in 100,000+ Install Plugin

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. For some time, we also have run all the code in the plugins used by our customers through that monitoring system on a weekly basis to provide additional protection for them. More recently, we expanded the range of possible security issues that we check over in customer used plugins every week. Through that we caught a reflected cross-site scripting (XSS) vulnerability that was introduced in to the 100,000+ install plugin Squirrly SEO in the last week.

If you are using plugins not already used by our customers, once you start using our service, those plugins will be getting checked on a weekly basis as well. [Read more]

11 May 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue

The changelog for the latest version of the WordPress plugin Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue is “Fixed the vulnerability issues for WPML.”

[Read more]

4 May 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in Advanced Custom Fields

To better detect vulnerabilities being fixed in WordPress plugins in the WordPress Plugin Directory, we run all the changes being made to plugins used by our customers and plugins with at least a million installs through a machine learning (artificial intelligence) based system we created. Today, that flagged a change being made to a 2+ million install plugin Advanced Custom Fields as fixing a vulnerability. The changelog of the plugin suggested that might be correct, as the changelog associated with that change says that it “resolves an XSS vulnerability in ACF’s admin pages”, which was credited to Rafie Muhammad

You can’t rely on changelog to provide accurate information, as the developer of this plugin, WP Engine, didn’t disclose it was fixing a vulnerability in another of their plugins recently, and even if the changelog makes the claim, it doesn’t mean that a vulnerability really existed or it has been fixed. As we have found with other changes being flagged by this monitoring system, WordPress plugin developer sometimes fail to disclose they are fixing a vulnerability and also fail to actually fix it. [Read more]

6 Feb 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in DELUCKS SEO

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have been running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them for a year now and we have recently increased that customer proactive monitoring to include checking for lesser vulnerabilities. Through that, we caught a reflected cross-site scripting (XSS) vulnerability in DELUCKS SEO.

That this hadn’t been spotted before is a good indication of the limited amount of security checking being done of WordPress plugins, as the relevant code is easy to detect as at least being insecure. [Read more]

5 Jan 2023

Reflected Cross-Site Scripting (XSS) Vulnerability in Newsletter Glue

As part of our monitoring the security of plugins used by our customers, we have a system that alerts us if plugins used by customers have been removed from the WordPress Plugin Directory. A common cause of those removals is security issues (or at least claimed security issues). That brought the plugin Newsletter Glue to our attention recently, which was closed in August. The removal reason given is “Author Request”, but we wanted to make sure there wasn’t a serious vulnerability in the plugin as well.

What we found is that the plugin contains a minor vulnerability because of a lack of basic security. We also ran across other security problems with the plugin. For example, the plugin registers functions to be accessible via AJAX by those not logged in (in addition to those logged in) despite them only allowing users with the manage_options capability to access their functionality. If you are concerned about security, we would recommend not using the plugin unless it has a thorough security review done and all issues addressed. [Read more]