In June 2021, the WordPress security provider Patchstack announced that they were partnering with WordPress plugin provider and web host 10Web. Patchtack claimed that they and 10Web were working together to “help strengthen the WordPress ecosystem.” It was a curious Continue reading Hacker Looking for Usage of 10Web WordPress Plugin That Contains Type of Vulnerability That Hackers Target
For our 41st security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin ShortPixel Image Optimizer. If you are not yet a customer of the service, once you sign up for the service as Continue reading WordPress Plugin Security Review: ShortPixel Image Optimizer
A week ago, the developers of the 200,000+ install WordPress plugin Fluent Forms tried to address a security issue in the plugin, but failed, leaving a vulnerability in the plugin. You wouldn’t know about that from various WordPress plugin vulnerability Continue reading AI Can Help to Catch Vulnerabilities in WordPress Plugins, but It Doesn’t Change Developers Bad Handling of Them
We were recently hired to do a security review of the WordPress plugin Beautiful Cookie Consent Banner – Premium Add-On. If you want a security review of plugins you use, when you become a paying customer of our service, you Continue reading WordPress Plugin Security Review: Beautiful Cookie Consent Banner – Premium Add-On
Automattic’s WPScan WordPress security service makes a lot of impressive sounding claims on their homepage, including being “Enterprise-strength” protection: Enterprise-strength WordPress protection for everyone [Read more] ShareTweetSharePostSharePin It!
We were recently hired to do a security review of the WordPress plugin Beautiful Cookie Consent Banner, after getting in touch with them about a vulnerability that was being exploited after other security providers failed to properly check over a Continue reading WordPress Plugin Security Review: Beautiful Cookie Consent Banner
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of February 3
While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started Continue reading Wordfence Security Falls to Fifth Place in February Test of WordPress Security Plugins’ Zero-Day Protection
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 27
The headline of the most recent post on the blog of GoDaddy’s security service, Sucuri, blares “Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network”, which was written by Denis Sinegubko. How massive? Not massive at Continue reading GoDaddy/Sucuri’s FUD About New “Massive Campaign” Claimed to Involve Hacked WordPress Websites
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 20
It isn’t uncommon to see comments online from people scared after a WordPress security solution, say, the Wordfence Security plugin, has alerted them that the solution has blocked a large amount of hacking attempts. The best advice as to what Continue reading Cutting Through Wordfence’s FUD on Millions of Attack Attempts Against WordPress Websites
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 13
Recently the security news outlet Bleeping Computer ran a story from Bill Toulas with the headline “New Linux malware uses 30 plugin exploits to backdoor WordPress sites”, but the only cited source for the story, Doctor Web stated that it Continue reading “New” Linux Malware Attempting to Exploit WordPress Plugin Vulnerabilities is Actually Years Old
Security journalists, for reasons that are not entirely clear, treat issuance of a CVE identifier for a claimed security vulnerability as a sign of significance and legitimacy. Take the start of an Ars Technica story from several months ago: It Continue reading CVE’s Process for Disputing a Claimed Vulnerability is Currently Broken
As we have documented multiple times before, Wordfence is providing highly inaccurate information on vulnerabilities in WordPress plugins. We keep running into more examples of that. Earlier this week someone contacted the developer of a plugin about Wordfence’s claim that Continue reading Wordfence Isn’t Telling the Truth About the Sourcing and Reliability of Their Plugin Vulnerability Data
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 6
Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer. Here was WPScan, the original source for the claim: [Read Continue reading Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed
Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting Continue reading Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript