Recently, Wordfence claimed that the WordPress plugin Shortcodes Ultimate contained an authenticated persistent cross-site scripting (XSS) vulnerability, which they described this way:
…
In February of last year, we tried to work with the developer of the Freemius library, which is widely used in WordPress plugins, to address a number of security issues that came up during a security review of a plugin using it. Instead of them working with us, they incompletely addressed the issues on their own. We told them that the fix was incomplete, but they didn’t address things. Earlier this month they were claiming in a blog post that we did “not cooperate” with them in that situation, despite linking to a post about the previous situation where they stated they went “into a ‘silent mode’ and ke[pt] interactions to a minimum”. Also earlier this month, they finally addressed an issue we had warned them about at the time. That has led to a mess for developers and users of plugins using the library (and some not even using it). That mess includes the developer of a plugin with 600,000+ installs to have to release a phantom security update to stop Patchstack from falsely claiming the plugin was still vulnerable.
While Patchstack has caused problems for various developers in this situation (and many others), Freemius is claiming that it is “a security company that truly cares about website security and works with you in full cooperation and coordination”. [Read more]
A recent version of the plugin Shortcodes Ultimate has a couple of security related changelog entries, with the more serious one appearing to be:
…
Earlier today we announced we are changing how we handle the disclosure of vulnerabilities in WordPress plugins. Until the inappropriate behavior by the moderators of the WordPress Support Forum ends we are going to be doing full disclosure, that is just disclosing the vulnerabilities, and after that only notifying the developer of the plugin through the Support Forum. We hope that this will be the thing that finally causes the current moderators and or other people in charge of WordPress to understand that they need to clean up the moderation, because it is causing many more problems than these full disclosures will.
We thought it would be a good idea to start these full disclosures off with a bang by disclosing a vulnerability in a very popular plugin, one with 700,000+ active installations according to wordpress.org. The type of vulnerability being disclosed though has almost no chance of being exploited on the average website, unless you were to believe the misinformation put out by other security companies. [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet): [Read more]
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
When Robert Mathews disclosed that an authenticated remote code execution (RCE) vulnerability that had been in the plugin Shortcodes Ultimate was being exploited his description of the issue also indicated that there has been a vulnerability in the plugin Formidable Forms: [Read more]
If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.
Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during July (and what you have been missing out on if you haven’t signed up yet): [Read more]
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.
…