Our WordPress Plugin Security Checker Identified a Fairly Serious Vulnerability in a Plugin by MailChimp

Recently we introduced a tool to do limited automated security checks of WordPress plugins in the Plugin Directory (and more recently expanded it to check plugins not in the directory). As part of improving that we have been logging any issues identified by the tool in plugins in the Plugin Directory (we don’t log the results for other plugins) and

Authenticated Local File Inclusion (LFI) Vulnerability in Vmax Project Manager

We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local

Authenticated Arbitrary File Upload Vulnerability in Vmax Project Manager

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that was the plugin Vmax Project Manager. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities, due to the possibility of

Arbitrary File Upload Vulnerability in Wallable

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that post was the plugin Wallable. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. The possible vulnerability that had been

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Simple Events Calendar

While looking in to what turned out be a false report of a vulnerability in the plugin Simple Events Calendar, we noticed there is a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the plugin. When the plugin’s admin page is requested, the function that generates that page checks if a new event has been submitted with the request using the

Our Plugin Security Checker Can Now Check WordPress Plugins Not in the Plugin Directory

We are currently waiting on several plugins to have security issues identified in part based on the results of our recently introduced tool for doing limited automated security checks of WordPress plugins to be fixed to be able to discuss real world examples of how the tool can be play a useful role in checking on the security of plugins. One

WordPress Plugin Security Review: Nav Menu Roles

For our fifteenth security review of a WordPress plugin based on the voting of our customers, we reviewed the plugin Nav Menu Roles. If you are not yet a customer of the service you can currently sign up for the service for half off and then start suggesting and voting on plugins to get security reviews. For those already using the service that haven’t already

Wordfence’s Idea of Keeping “site owners safe from exploitation” Actually Puts Them At Risk

When it comes to improving the poor state of security, what can be seen over and over is that the focus needs to be on the basics. Take for instance the widely covered breach of Equifax, which was a situation where simply keeping their software up to date would have prevented the breach from happening. But the security industry isn’t

The Developers of WordPress Security Plugins Should Be Setting the Example of Good Security Practices

Recently someone left a negative review of the companion plugin for our service, which seemed more like it was just someone looking to bash us than a legitimate review of the plugin (based on another review of theirs they are a paying customer of Wordfence, which explains a lot). The reviewer didn’t even seem to be all that aware of

Vulnerability Details: Information Disclosure Vulnerability in ProfileGrid

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability. Last week we discussed that checking for usage of outdated third-party libraries is difficult when