While reviewing a recent hacker attempt to try to exploit a vulnerability in a WordPress plugin, which was stopped by our own firewall plugin, we found that Automattic’s WPScan had falsely claimed that a WordPress plugin contained a serious vulnerability. Continue reading Automattic’s WPScan Falsely Claims That WordPress Plugin Contained Serious Vulnerability
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That works often goes unmentioned. So we are highlighting that to help to better Continue reading How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9
It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, Continue reading WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability
Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:” This critical vulnerability has Continue reading Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files
Patchstack claims there had been an authenticated remote code execution (RCE) vulnerability in the WordPress plugin Dynamic Content for Elementor, which at least one of our customers started using recently. Trying to figure out what is going on there showed Continue reading Trying to Decipher a Vulnerability Claim for a WordPress Plugin
A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous Continue reading Many CVE Records Are Listing the Wrong Versions of Software as Being Affected
In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the Continue reading Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed
Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities Continue reading Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)
Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where Continue reading Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability
When it comes to protecting WordPress websites from vulnerabilities in WordPress plugins, one piece of the solution involves being warned if you are using plugins with known vulnerabilities. Doing that well requires doing a lot of work. That is something Continue reading Patchstack vs Wordfence WordPress Plugin Vulnerability Data: It’s Largely The Same Inaccurate Data
There are many sources for data on WordPress plugin vulnerabilities. Or there appears to be. In reality, most sources are simply copying their data from the others. The results of that are often quite poor, which the providers simply deny. Continue reading Patchstack’s Plugin Vulnerability Data Continues to Not Be Impeccable Either
On Friday, a news outlet that Google News includes, despite repeatedly running false stories about vulnerabilities in WordPress plugins, was at it again. Roger Montti writing for the Search Engine Journal, made this claim: The popular Fluent Forms Contact Form Continue reading News Outlet Claims WordPress Plugin Contained Vulnerability Because an Administrator Could Access the Website’s Database
The Automattic owned WPScan recently claimed a serious persistent cross-site scripting (XSS) vulnerability had been in a WordPress plugin and had been fixed. Their report lacked the kind of information that would be needed to easily recheck things. What was Continue reading The WordPress Function sanitize_text_field() Isn’t Always Enough Security to Protect Against XSS
On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ Continue reading Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability
Often when we review claims about vulnerabilities in WordPress plugins, we find that the issues have only been partially addressed. That is the case with a vulnerability in the plugin POST SMTP, which has 300,000+ installs. The plugin vulnerability data Continue reading Plugin That is Part of Patchstack’s Vulnerability Disclosure Program (VDP) Still Contains Publicly Disclosed SQL Injection Issue
This week we have been covering a mess that started with the developers of the Freemius library not properly handling a security issue we reported to them last year. Instead of addressing the issue at the time, they put out Continue reading WordPress Security Providers Delaying Vulnerability Disclosures Doesn’t Stop Hackers From Figuring Them Out
In February of last year, we tried to work with the developer of the Freemius library, which is widely used in WordPress plugins, to address a number of security issues that came up during a security review of a plugin Continue reading Patchstack Causes Developer of 600,000+ Install WordPress Plugin to Release Phantom Security Update
Recently Automattic’s WPScan claimed that the WordPress plugin Scripts n Styles had contained an admin+ stored XSS vulnerability that they explained this way: The plugin does not sanitise and escape some of its settings, which could allow high privilege users Continue reading Patchstack Claims to Be Security Point of Contact for WordPress Plugin It Made Up Vulnerability About