Patchstack claims there had been an authenticated remote code execution (RCE) vulnerability in the WordPress plugin Dynamic Content for Elementor, which at least one of our customers started using recently. Trying to figure out what is going on there showed Continue reading Trying to Decipher a Vulnerability Claim for a WordPress Plugin
Recently, one of our competitors in keeping track of vulnerabilities in WordPress plugins, Patchstack, very vaguely claimed there was an unfixed SQL injection vulnerability in a plugin used by at least one of our customers. As the developer noted, Patchstack Continue reading The Right Way for WordPress Plugins to Secure Order By Clauses in SQL Statements
Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be Continue reading WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong
For our 43nd security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Maspik – Spam blacklist. If you are not yet a customer of the service, once you sign up for the service Continue reading WordPress Plugin Security Review: Maspik – Spam blacklist
Recently, an update was released for a WordPress plugin that had a changelog that said the new version addressed a PHP object injection vulnerability by using the WordPress function maybe_unserialize(). That function doesn’t accomplish that. The developer then made a Continue reading The WordPress Function maybe_unserialize() Won’t Prevent PHP Object Injection
A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous Continue reading Many CVE Records Are Listing the Wrong Versions of Software as Being Affected
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 19
In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the Continue reading Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed
Those looking for useful security advice for WordPress websites are often running across biased information, where the bias isn’t disclosed. While looking for some information for a post we were writing, we ran across what was claimed to be a Continue reading Malcare’s Review of Wordfence Recommends Malcare Instead Without Disclosing They Make It
Recently, a high-profile security provider now owned by Google, Mandiant, had their Twitter account taken control by a hacker, while this should probably be a big deal, it isn’t all that surprising consider what Mandiant has become high-profile for. They Continue reading The Security Industry Isn’t All That Interested in Security
While doing research for a post, we found that the much maligned Awesome Motive was giving out, no surprise, highly misleading advice to make money for themselves. On one of their websites, they claimed that the Sucuri plugin is the Continue reading Awesome Motive Is Claiming That Sucuri Is the Best WordPress Security in 2024 Based on Features It Doesn’t Contain
Whether intentionally or not, part of the business model of the developer of the Wordfence Security plugin involves scaring people in to buying their services by overstating the risk posed by security issues. The overstated risk was on display in Continue reading Wordfence Is Warning That Vulnerabilities Are Critical When They Are Not
Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities Continue reading Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)
As we warned our customers about last week, a recent update to a WordPress plugin that extends WooCommerce, with 300,000+ installs, tried to fix a SQL injection vulnerability. The developer failed to accomplish that, in part because they were using Continue reading The WordPress Function sanitize_text_field() Function Doesn’t Sanitize User Input for SQL Statements
Google’s search results have a reputation for being bad these days and for good reason, they are bad. Take the results we got when doing a search for “best wordpress security plugins 2024”. We got this information directly on the Continue reading Google’s Search Results for The Best WordPress Security Plugins in 2024 is as Bad As You Would Expect
This past week there was a spate of security stories claiming a high-profile attack had occurred because of a weak password. Take the headline of an Ars Technica story by Dan Goodin, ‘A “ridiculously weak” password causes disaster for Spain’s Continue reading Password Strength Doesn’t Matter if a Hacker Knows The Password Because It Was Compromised Through Malware
While working on a security review of a WordPress plugin, we ran across miss-usage of a WordPress security function, esc_url_raw(). While looking to see if this was a wider issue, we found that a 5+ million install security plugin is Continue reading Confusion Over Proper Usage of esc_url_raw() Includes Developers of 1+ and 5+ Million Install WordPress Security Plugins
When looking for security advice on WordPress websites, one of the problems you face is the number of affiliate marketers posing as your friend. One recent example we ran across of this involved a YouTuber, WPress Doctor. They released a Continue reading YouTuber Falsely Claims You Can Easily Prevent WordPress Websites From Getting Hacked With Solid Security
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when Continue reading WordPress Plugin Developer Security Advisory: Brainstorm Force
Recently, we looked at one inaccurate recommendation by a major web host, SiteGround, suggesting that you shouldn’t use WordPress security plugins that can actually protect against vulnerabilities. Along those same lines, they have some troubling advice when it comes to Continue reading Effective WordPress Security Plugins Can Not Be Replaced With Something You Can Do Manually