Login

Tag Archives: Security Vulnerability in Security Plugin

29 Oct 2021

WordPress Security Plugin’s Lack of Security Allows For Easy Disabling of Its Functionality

What probably goes a long way towards explaining why WordPress security plugins provide so little protection against the exploitation of vulnerabilities in other plugins is the developers of those plugins don’t have a great understanding of security. That is partially backed up by how often security vulnerabilities are found in security plugins. The latest example of a security plugin we have found to contain a vulnerability, involves a newer plugin, Headers Security Advanced & HSTS WP, which has this text in the first paragraph of its description in the WordPress Plugin Directory:

it allows you to securely and quickly customize your login page URL. It does not rename or replace files, add rewrite or read rules. The wp-admin directory and the wp-login.php page will no longer go, remember to bookmark the URL or wherever you prefer so you can remember the login url. Deactivating this plugin will return your site configuration exactly to the state it was in before. [Read more]

4 Nov 2019

Vulnerability Details: Authenticated Persistent Cross-Site Scripting (XSS) in Safe SVG

The changelog for the latest version of Safe SVG is “Underlying library update that fixes some security issues”. There is no changelog provide for that library to indicate what might have been fixed. We did find information from dinhbaouit that shows that an authenticated persistent cross-site scripting  (XSS) vulnerability that still exist in the current version of the plugin.

[Read more]

8 Oct 2019

Vulnerability Details: Open Redirect in All In One WP Security

The changelog for the latest version of the plugin All In One WP Security (All In One WP Security & Firewall) is “Fixed vulnerability related to open redirect and exposure of hidden login page for specific case. (Thanks to Erwan (wpscanteam) for letting us know)”. The entry on the WPScan Vulnerability Database for that contains almost no information and has this for the proof of concept “The PoC will be displayed on October 22, 2019, to give users the time to update.” It is unclear what the point of that would be since, that would be too late for that to be to all that useful, say if the vulnerability hasn’t been properly fixed, since hackers would already be taking advantage of the vulnerability. At the same time we have a hard time believing anybody looking to exploit this would have any trouble figuring out how you could exploit it just by looking at the relevant changes made to the plugin, considering it took us around a minute.

[Read more]

21 Jun 2019

Cross-Site Request Forgery (CSRF) Vulnerability in Deny All Firewall

It is a continuing bad sign for the overall security of WordPress plugins that so many security plugins have security vulnerabilities of their own. We ran across one such plugin, Deny All Firewall, due to our monitoring of changelog entries of plugins to keep customer of our service aware of vulnerabilities that were or are in the plugins they use. The plugin is described as:

This plugin examines your WordPress installation and allows you to inject rules into your .htaccess file which completely block access to everything except genuine site content. [Read more]