In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to Continue reading Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability
While reviewing a recent hacker attempt to try to exploit a vulnerability in a WordPress plugin, which was stopped by our own firewall plugin, we found that Automattic’s WPScan had falsely claimed that a WordPress plugin contained a serious vulnerability. Continue reading Automattic’s WPScan Falsely Claims That WordPress Plugin Contained Serious Vulnerability
As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a Continue reading Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML
WordPress plugin developers are not always great about actually fixing vulnerabilities in their plugins. That problem is on display with the 300,000+ install plugin PDF Invoices & Packing Slips for WooCommerce. As we warned our customers on January 11, the Continue reading WPScan Still Isn’t Making Sure That “Fixed” WordPress Plugin Vulnerabilities Have Actually Been Fixed
One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Continue reading Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist
The Automattic owned WPScan recently claimed a serious persistent cross-site scripting (XSS) vulnerability had been in a WordPress plugin and had been fixed. Their report lacked the kind of information that would be needed to easily recheck things. What was Continue reading The WordPress Function sanitize_text_field() Isn’t Always Enough Security to Protect Against XSS
On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ Continue reading Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability
Often when we review claims about vulnerabilities in WordPress plugins, we find that the issues have only been partially addressed. That is the case with a vulnerability in the plugin POST SMTP, which has 300,000+ installs. The plugin vulnerability data Continue reading Plugin That is Part of Patchstack’s Vulnerability Disclosure Program (VDP) Still Contains Publicly Disclosed SQL Injection Issue
Last week, we wrote about how a group of WordPress agencies had released a guide for promoting WordPress to enterprises had provided a misleading view of the security of WordPress. The information provided also suggest they might not have a Continue reading WordPress Enterprise Agencies Own Guide Suggest Their Security Handling is Not Extremely Vigilant and Highly Competent
Earlier today, we warned our customers about unfixed vulnerabilities in a WordPress plugin named Posts Like Dislike. We ran across those vulnerabilities as at least one of our customers was using the plugin and the changelog for the latest version Continue reading Wordfence Intelligence (and Possibly WordPress) Mishandled Unfixed Vulnerabilities in WordPress Plugin
Earlier today, we covered how Patchstack and their partners have been falsely claiming that WordPress plugins contain vulnerabilities caused by usage of an outdated version of the Freemius library. They have been joined in that by WP Engine and Automattic Continue reading WP Engine Sending Out Emails Falsely Claiming Popular WordPress Plugins Contain Unfixed Vulnerabilities
Yesterday, the WPTavern ran a story with the headline “MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials” despite there not being a vulnerability. Instead, a competitor named Snicco had been successful in getting themselves Continue reading Snicco Falsely Claiming Competing WordPress Security Plugins Contain Vulnerabilities
Recently Automattic’s WPScan claimed that the WordPress plugin Scripts n Styles had contained an admin+ stored XSS vulnerability that they explained this way: The plugin does not sanitise and escape some of its settings, which could allow high privilege users Continue reading Patchstack Claims to Be Security Point of Contact for WordPress Plugin It Made Up Vulnerability About
Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent Continue reading Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are
For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known Continue reading Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed
A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence Continue reading Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory
For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Many of those vulnerabilities have been SQL injection vulnerabilities. Over the weekend we saw them looking for Continue reading WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory
Are you relying on a security provider to warn about vulnerabilities in WordPress plugins you use? Are you not testing out the proof of concepts for those vulnerabilities because the security provider claims they are verifying things for you or Continue reading You Need to Make Sure Proof of Concepts for Vulnerabilities in WordPress Plugins You Use Have Been Tested
Automattic’s WPScan WordPress security service makes a lot of impressive sounding claims on their homepage, including being “Enterprise-strength” protection: Enterprise-strength WordPress protection for everyone [Read more] ShareTweetSharePostSharePin It!
Recently, three ostensibly competing data providers for information on vulnerabilities in WordPress plugins all claimed that a vulnerability had been fixed in a certain version of the plugin Super Socializer. Here was WPScan, the original source for the claim: [Read Continue reading Providers of WordPress Plugin Vulnerability Data Not Actually Verifying if Vulnerabilities Are Fixed