Not Really a WordPress Plugin Vulnerability – Week of June 23, 2017

https://www.pluginvulnerabilities.com/2017/06/23/not-really-a-wordpress-plugin-vulnerability-week-of-june-23-2017/
In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Analytics Tracker

https://www.pluginvulnerabilities.com/2017/06/23/vulnerability-details-reflected-cross-site-scripting-xss-vulnerability-in-analytics-tracker/
From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. The changelog entry for version 1.1.1 of the plugin Analytics Tracker is “Fixed XSS vulnerability on search

Reflected Cross-Site Scripting (XSS) Vulnerability in Product Catalog

https://www.pluginvulnerabilities.com/2017/06/22/reflected-cross-site-scripting-xss-vulnerability-in-product-catalog/
We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. In doing one of the preliminary checks we immediately came across a reflected cross-site scripting (XSS) vulnerability that exists in the plugin Product Catalog that has existed

Reflected Cross-Site Scripting (XSS) Vulnerability in uCare

https://www.pluginvulnerabilities.com/2017/06/22/reflected-cross-site-scripting-xss-vulnerability-in-ucare/
We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. During that preliminary checking we found that the plugin uCare contains a reflected cross-site scripting (XSS) vulnerability. The vulnerability is an example of where one of things we

Newspaper Theme 6.4–6.7.1 – Privilege Escalation

https://wpvulndb.com/vulnerabilities/8852

All-in-One WP Migration <= 6.45 – Reflected Cross-Site Scripting (XSS)

https://wpvulndb.com/vulnerabilities/8851

New in Wordfence 6.3.11: Abandoned and Removed Plugin Alerts

https://www.wordfence.com/blog/2017/06/abandoned-removed-plugin-alerts/
This entry was posted in Wordfence, WordPress Security on June 20, 2017 by Dan Moen   0 Replies On Thursday of last week, we released Wordfence 6.3.11 which included a really exciting new feature: we are now alerting you if you are running a plugin that either appears to be abandoned or has been removed from the WordPress.org plugin directory.

Making Changes to Fix Claimed Vulnerabilities in WordPress Plugins Can Have a Negative Impact

https://www.pluginvulnerabilities.com/2017/06/19/making-changes-to-fix-claimed-vulnerabilities-in-wordpress-plugins-can-have-a-negative-impact/
Fairly regularly we have found that reports of vulnerabilities in WordPress plugins turn out to be false. That doesn’t always stop developers from making change to fix them as if they really existed (at the same time developers often don’t fix real vulnerabilities). In many cases the change improves the plugin as the change doesn’t fix a vulnerability, but what

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Multi Feed Reader

https://www.pluginvulnerabilities.com/2017/06/19/cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-multi-feed-reader/
Recently a report was released claiming that a SQL injection vulnerability had been fixed in the latest version of the plugin Multi Feed Reader. In checking into that we found that while the change made in that version improved security, it looked like there may not have actually been a vulnerability in the code before. While looking in to that report we

WordPress Download Manager <= 2.9.51 – Authenticated Reflected Cross-Site Scripting (XSS)

https://wpvulndb.com/vulnerabilities/8850