Best WordPress Hosting
 

Category Archives: PV

Contrary to Bleeping Computer Story, Hackers Don’t Seem to Have Targeted Security Issue in Better Search Replace

Posted on by

Yesterday, the Bleeping Computer ran a story headlined “Hackers target WordPress database plugin active on 1 million sites,” written by Bill Toulas. The plugin being referenced was Better Search Replace, which had a security change in the latest version. There Continue reading Contrary to Bleeping Computer Story, Hackers Don’t Seem to Have Targeted Security Issue in Better Search Replace

How to Use the sanitize_callback When Using the WordPress register_setting() Function

Posted on by

One of the many issues we now check for when doing security reviews of WordPress plugins is proper usage of the sanitize_callback when using register_setting() to register settings. That helps to make sure that settings of the plugin don’t contain Continue reading How to Use the sanitize_callback When Using the WordPress register_setting() Function

Catching a Future Vulnerability in a WordPress Plugin With Our Plugin Security Checker

Posted on by

One of the tools we have to try to help make WordPress plugins more secure is our Plugin Security Checker, which flags possible security issues in WordPress plugins. From time to time, we spot check the results of plugins from Continue reading Catching a Future Vulnerability in a WordPress Plugin With Our Plugin Security Checker

Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files

Posted on by

Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:” This critical vulnerability has Continue reading Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files

WPScan Still Isn’t Making Sure That “Fixed” WordPress Plugin Vulnerabilities Have Actually Been Fixed

Posted on by

WordPress plugin developers are not always great about actually fixing vulnerabilities in their plugins. That problem is on display with the 300,000+ install plugin PDF Invoices & Packing Slips for WooCommerce. As we warned our customers on January 11, the Continue reading WPScan Still Isn’t Making Sure That “Fixed” WordPress Plugin Vulnerabilities Have Actually Been Fixed

All-In-One Security (AIOS) Firewall Review: It Doesn’t Deliver Great Results

Posted on by

In 2022, the WordPress security plugin All In One WP Security & Firewall was rebranded as All-In-One Security (AIOS). The removal of emphasis on a firewall is probably fitting, as the plugin’s firewall capability is rather limited and the developers Continue reading All-In-One Security (AIOS) Firewall Review: It Doesn’t Deliver Great Results

Trying to Decipher a Vulnerability Claim for a WordPress Plugin

Posted on by

Patchstack claims there had been an authenticated remote code execution (RCE) vulnerability in the WordPress plugin Dynamic Content for Elementor, which at least one of our customers started using recently. Trying to figure out what is going on there showed Continue reading Trying to Decipher a Vulnerability Claim for a WordPress Plugin

The Right Way for WordPress Plugins to Secure Order By Clauses in SQL Statements

Posted on by

Recently, one of our competitors in keeping track of vulnerabilities in WordPress plugins, Patchstack, very vaguely claimed there was an unfixed SQL injection vulnerability in a plugin used by at least one of our customers. As the developer noted, Patchstack Continue reading The Right Way for WordPress Plugins to Secure Order By Clauses in SQL Statements

WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong

Posted on by

Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be Continue reading WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong

WordPress Plugin Security Review: Maspik – Spam blacklist

Posted on by

For our 43nd security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Maspik – Spam blacklist. If you are not yet a customer of the service, once you sign up for the service Continue reading WordPress Plugin Security Review: Maspik – Spam blacklist

The WordPress Function maybe_unserialize() Won’t Prevent PHP Object Injection

Posted on by

Recently, an update was released for a WordPress plugin that had a changelog that said the new version addressed a PHP object injection vulnerability by using the WordPress function maybe_unserialize(). That function doesn’t accomplish that. The developer then made a Continue reading The WordPress Function maybe_unserialize() Won’t Prevent PHP Object Injection

Many CVE Records Are Listing the Wrong Versions of Software as Being Affected

Posted on by

A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous Continue reading Many CVE Records Are Listing the Wrong Versions of Software as Being Affected

Not Really a WordPress Plugin Vulnerability, Week of January 19

Posted on by

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 19

Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed

Posted on by

In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the Continue reading Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed

Malcare’s Review of Wordfence Recommends Malcare Instead Without Disclosing They Make It

Posted on by

Those looking for useful security advice for WordPress websites are often running across biased information, where the bias isn’t disclosed. While looking for some information for a post we were writing, we ran across what was claimed to be a Continue reading Malcare’s Review of Wordfence Recommends Malcare Instead Without Disclosing They Make It

The Security Industry Isn’t All That Interested in Security

Posted on by

Recently, a high-profile security provider now owned by Google, Mandiant, had their Twitter account taken control by a hacker, while this should probably be a big deal, it isn’t all that surprising consider what Mandiant has become high-profile for. They Continue reading The Security Industry Isn’t All That Interested in Security