In our testing of WordPress firewall plugins, the NinjaFirewall plugin has been the best free option. It turns out it does something else where it isn’t so good. That would be warning about vulnerable plugins. We recently noticed the developer Continue reading NinjaFirewall is Providing Misleading Information on Vulnerable WordPress Plugins
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of February 16
We recently had a strange interaction with the team running the WordPress Plugin Directory over their failure to make sure a likely exploited vulnerability was fixed. It was yet another example of their poor handling of security. That runs counter Continue reading WordPress Plugin Team Appears to Not Understand Proper Use of SQL Escaping Function esc_sql()
For a couple of months now, a phishing email campaign has been sending emails warning of a vulnerability on WordPress websites and telling people to download a plugin for that. That email has this format: Dear user [Read more] ShareTweetSharePostSharePin Continue reading Cloudflare Still Providing DNS Service for WordPress Security Team Impersonation Scam
As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a Continue reading Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML
It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, Continue reading WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability
The latest version of WordPress, 6.4.3, has created a lot of headaches for the WordPress community, as installing plugins by uploading most zipped copies of plugins that have been compressed on Macs are not working (and possibly zipped in some Continue reading Bug Introduced in WordPress 6.4.3 Highlights a Problem With Fixing Vulnerabilities That Are Not Really Vulnerabilities
We are currently in the process of reviewing a partially disclosed possible vulnerability in a 200,000+ install WordPress plugin that extends the 5+ million install plugin Elementor. One issue we found with the possible vulnerability is that the developer is Continue reading Elementor is Still Providing Access to Security Nonces to WordPress Users Who Shouldn’t Have Them
We recently ran across a WordPress support service that was making some extraordinary claims about their handling of security. They were not close to true, considering we were visiting their website to try to notify them that they had failed Continue reading Cloudflare Only Added One Firewall Rule for a WordPress Plugin Vulnerability Last Year and It Was Eight Months Late
In the work we do to keep track of vulnerabilities in WordPress plugins for our customers, we see a lot going wrong with the handling of vulnerabilities in them. While a lot of that involves plugin developers, it also involves Continue reading What to do If Someone is Claiming There is a Vulnerability in Your WordPress Plugin
Having accurate data on vulnerabilities in WordPress plugins is important. Lots of people trust one provider of WordPress plugin vulnerability data, Wordfence. It seems like their data should be trusted considering the CEO of Wordfence, Mark Maunder, has claimed their Continue reading Wordfence Claims Unfixed WordPress Plugin Vulnerability Has Been Fixed in Version That Doesn’t Even Exist
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 26
Yesterday, the Bleeping Computer ran a story headlined “Hackers target WordPress database plugin active on 1 million sites,” written by Bill Toulas. The plugin being referenced was Better Search Replace, which had a security change in the latest version. There Continue reading Contrary to Bleeping Computer Story, Hackers Don’t Seem to Have Targeted Security Issue in Better Search Replace
One of the many issues we now check for when doing security reviews of WordPress plugins is proper usage of the sanitize_callback when using register_setting() to register settings. That helps to make sure that settings of the plugin don’t contain Continue reading How to Use the sanitize_callback When Using the WordPress register_setting() Function
One of the tools we have to try to help make WordPress plugins more secure is our Plugin Security Checker, which flags possible security issues in WordPress plugins. From time to time, we spot check the results of plugins from Continue reading Catching a Future Vulnerability in a WordPress Plugin With Our Plugin Security Checker
Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:” This critical vulnerability has Continue reading Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files
WordPress plugin developers are not always great about actually fixing vulnerabilities in their plugins. That problem is on display with the 300,000+ install plugin PDF Invoices & Packing Slips for WooCommerce. As we warned our customers on January 11, the Continue reading WPScan Still Isn’t Making Sure That “Fixed” WordPress Plugin Vulnerabilities Have Actually Been Fixed
Patchstack claims there had been an authenticated remote code execution (RCE) vulnerability in the WordPress plugin Dynamic Content for Elementor, which at least one of our customers started using recently. Trying to figure out what is going on there showed Continue reading Trying to Decipher a Vulnerability Claim for a WordPress Plugin
Recently, one of our competitors in keeping track of vulnerabilities in WordPress plugins, Patchstack, very vaguely claimed there was an unfixed SQL injection vulnerability in a plugin used by at least one of our customers. As the developer noted, Patchstack Continue reading The Right Way for WordPress Plugins to Secure Order By Clauses in SQL Statements
Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be Continue reading WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong