Not Really a WordPress Plugin Vulnerability – Week of September 22, 2017

https://www.pluginvulnerabilities.com/2017/09/22/not-really-a-wordpress-plugin-vulnerability-week-of-september-22-2017/
In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are

Vulnerability Details: PHP Object Injection Vulnerability in Appointments

https://www.pluginvulnerabilities.com/2017/09/22/vulnerability-details-php-object-injection-vulnerability-in-appointments/
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. Since June we have been doing proactive monitoring of changes made to plugins to try to

PHP Object Injection Vulnerability in DS.DownloadList

https://www.pluginvulnerabilities.com/2017/09/22/php-object-injection-vulnerability-in-ds-downloadlist/
For the second time through our proactive monitoring of changes in WordPress plugins for serious vulnerabilities we have found a vulnerability not just as it is added to a plugin, but as the plugin was introduced into the Plugin Directory. There is a manual review done of plugins before they are approved for the Plugin Directory and that appears to

PHP Object Injection Vulnerability in TAKETIN To WP Membership

https://www.pluginvulnerabilities.com/2017/09/22/php-object-injection-vulnerability-in-taketin-to-wp-membership/
Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found a PHP object injection vulnerability in the TAKETIN To WP Membership plugin. In the file /classes/taketin-mp-utils.php the function getMessage() as of version 1.2.7 would unserialize the value of the cookie “taketin_mp_error”, which permitted PHP object injection: 346 347 348 349 350

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in 2kb Amazon Affiliates Store

https://www.pluginvulnerabilities.com/2017/09/22/vulnerability-details-reflected-cross-site-scripting-xss-vulnerability-in-2kb-amazon-affiliates-store/
The changelog entry for version 2.1.1 of the plugin 2kb Amazon Affiliates Store is “Security fix, thanks to Ricardo”. In looking over the changes made in that version we found it was a reflected cross-site scripting (XSS) vulnerability that was fixed. (After we finished up writing this post a report was released from the discoverer of the vulnerability, but it is inaccurate

Vulnerability Details: PHP Object Injection Vulnerability in Invite Anyone

https://www.pluginvulnerabilities.com/2017/09/21/vulnerability-details-php-object-injection-vulnerability-in-invite-anyone/
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. Since June we have been doing proactive monitoring of changes made to plugins to try to

Arbitrary File Upload Vulnerability in All Post Contact Form

https://www.pluginvulnerabilities.com/2017/09/20/arbitrary-file-upload-vulnerability-in-all-post-contact-form/
Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an an arbitrary file upload vulnerability in the All Post Contact Form plugin. When the plugins shortcode, rlallpostcontactform, is on a post or page the the file /allpost-contactform-core.php is included. In that file the following code is run: 53 54

Vulnerability Details: Media Editing Vulnerability in MediaPress

https://www.pluginvulnerabilities.com/2017/09/19/vulnerability-details-media-editing-vulnerability-in-mediapress/
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. We sometimes see people complaining about that the information needed to exploit a WordPress plugin

Authenticated Information Disclosure Vulnerability in Share Drafts Publicly

https://www.pluginvulnerabilities.com/2017/09/19/authenticated-information-disclosure-vulnerability-in-share-drafts-publicly/
The changelog entry for version 1.1.4 of Share Drafts Publicly is “Added security enhancements.”. In looking over that we found a change was made to fix a cross-site request forgery (CSRF) vulnerability that existed with AJAX functionality to share a draft of a post or page publicly. The exploitability of that is limited since an attacker that causes a draft to be

Authenticated PHP Object Injection Vulnerability in Post Pay Counter

https://www.pluginvulnerabilities.com/2017/09/18/authenticated-php-object-injection-vulnerability-in-post-pay-counter/
Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we have found some of those serious vulnerabilities, but we also have found less serious variants of some of those vulnerabilities. The latter is certainly the case with an authenticated PHP object injection vulnerability we found in the plugin Post Pay Counter. On the plugin’s Options page