Login

Tag Archives: WP Inventory Manager

21 May 2019

WordPress Plugin Developers Are Portraying Limited Security Checks as Security Audits, Which They Are Not

Earlier today we noted that more WordPress plugins getting a security review would be a big help to the WordPress community. While there are not many security reviews of plugins happening now, in some cases developers are making it sounds like their plugins are getting security audits they do not appear to be getting.

As part of continually monitoring various sources for information on vulnerabilities in WordPress plugins to add them to our data set so that our customers can be informed of vulnerabilities in plugins they use, today we came across a report of vulnerabilities in the plugin WPGraphQL. In looking in to this we found that in the release notes for the version that is supposed to fix this, there was this information: [Read more]

29 Apr 2019

Security Journalists Odd Treatment of Proof of Concepts for WordPress Plugin Vulnerabilities

We think that good security journalism is something that could greatly help to improve the poor state of not just the security surrounding WordPress plugins, but security in general. Unfortunately what we have found is that security journalists seem to almost uniformly seem to do a very bad job. As a less serious example of that, recently we have seen odd responses from security journalists to us including proof of concepts with vulnerabilities we are disclosing.

Some of that seems like it could originating with the security company behind the Wordfence Security plugin, Defiant, who make claims like this (while waiting until after vulnerabilities are widely exploited to warn people that they are using plugins likely to be exploited, which is too late): [Read more]

15 Apr 2019

Persistent Cross-Site Scripting (XSS) Vulnerability in WP Inventory Manager

One of the changelog entries for the latest version of WP Inventory Manager
is “Address security data sanitization in various $_POST, $_GET, $_REQUEST.” When we went to look at that change to see if there was a vulnerability we should add to our data set we noticed the two latest log entries for the plugin in the Subversion repository, which underlies the WordPress Plugin Directory, were “Updating to 1.7.9 for wordpress team review” and “Update for Plugin Review Team”. It’s not clear what that refers to, but when we went to look to see about the changes made, it looked like security changes related to the plugin’s settings had been made, so we installed the previous version of the plugin and started looking to see if looked like there was previously a vulnerability. What we saw is that there still looked to be a vulnerability, since the changes made didn’t seem to fix an issue we saw. When we went to look further we had a hard time finding the code related to the vulnerability and when we finally did we found that the situation was worse, as you don’t even need to be logged in to change the plugin’s settings and through that you can cause persistent cross-site scripting (XSS).

The code that starts this is a bit complicated, so we will skip a bit to the function admin_init() in the file /includes/wpinventory.admin.class.php, which runs during admin_init. That will run even not logged in when accessing the page /wp-admin/admin-post.php. Here is the beginning of that function: [Read more]