WP Security Bloggers http://www.wpsecuritybloggers.com The Number One Source for WordPress Security News and Updates Sun, 25 Jun 2017 18:20:34 +0000 en-US hourly 1 https://wordpress.org/?v=4.8 79282814 Not Really a WordPress Plugin Vulnerability – Week of June 23, 2017 https://www.pluginvulnerabilities.com/2017/06/23/not-really-a-wordpress-plugin-vulnerability-week-of-june-23-2017/ Fri, 23 Jun 2017 22:35:22 +0000 http://www.wpsecuritybloggers.com/uncategorized/not-really-a-wordpress-plugin-vulnerability-week-of-june-23-2017 https://www.pluginvulnerabilities.com/2017/06/23/not-really-a-wordpress-plugin-vulnerability-week-of-june-23-2017/

In reviewing reports of vulnerabilities in WordPress plugins we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we have been releasing posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are

Vulnerability Details: Reflected Cross-Site Scripting (XSS) Vulnerability in Analytics Tracker https://www.pluginvulnerabilities.com/2017/06/23/vulnerability-details-reflected-cross-site-scripting-xss-vulnerability-in-analytics-tracker/ Fri, 23 Jun 2017 18:23:08 +0000 http://www.wpsecuritybloggers.com/uncategorized/vulnerability-details-reflected-cross-site-scripting-xss-vulnerability-in-analytics-tracker https://www.pluginvulnerabilities.com/2017/06/23/vulnerability-details-reflected-cross-site-scripting-xss-vulnerability-in-analytics-tracker/

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

The changelog entry for version 1.1.1 of the plugin Analytics Tracker is “Fixed XSS vulnerability on search

Reflected Cross-Site Scripting (XSS) Vulnerability in Product Catalog https://www.pluginvulnerabilities.com/2017/06/22/reflected-cross-site-scripting-xss-vulnerability-in-product-catalog/ Thu, 22 Jun 2017 16:14:57 +0000 http://www.wpsecuritybloggers.com/uncategorized/reflected-cross-site-scripting-xss-vulnerability-in-product-catalog https://www.pluginvulnerabilities.com/2017/06/22/reflected-cross-site-scripting-xss-vulnerability-in-product-catalog/

We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. In doing one of the preliminary checks we immediately came across a reflected cross-site scripting (XSS) vulnerability that exists in the plugin Product Catalog that has existed

Reflected Cross-Site Scripting (XSS) Vulnerability in uCare https://www.pluginvulnerabilities.com/2017/06/22/reflected-cross-site-scripting-xss-vulnerability-in-ucare/ Thu, 22 Jun 2017 16:04:27 +0000 http://www.wpsecuritybloggers.com/uncategorized/reflected-cross-site-scripting-xss-vulnerability-in-ucare https://www.pluginvulnerabilities.com/2017/06/22/reflected-cross-site-scripting-xss-vulnerability-in-ucare/

We recently have been trying to get an idea of how effective it would be to try to proactively catch some vulnerabilities when changes are made to WordPress plugins that include those vulnerabilities. During that preliminary checking we found that the plugin uCare contains a reflected cross-site scripting (XSS) vulnerability.

The vulnerability is an example of where one of things we

Newspaper Theme 6.4–6.7.1 – Privilege Escalation https://wpvulndb.com/vulnerabilities/8852 Thu, 22 Jun 2017 07:46:37 +0000 http://www.wpsecuritybloggers.com/uncategorized/newspaper-theme-6-4-6-7-1-privilege-escalation https://wpvulndb.com/vulnerabilities/8852
All-in-One WP Migration <= 6.45 – Reflected Cross-Site Scripting (XSS) https://wpvulndb.com/vulnerabilities/8851 Wed, 21 Jun 2017 08:01:09 +0000 http://www.wpsecuritybloggers.com/uncategorized/all-in-one-wp-migration-6-45-reflected-cross-site-scripting-xss https://wpvulndb.com/vulnerabilities/8851
New in Wordfence 6.3.11: Abandoned and Removed Plugin Alerts https://www.wordfence.com/blog/2017/06/abandoned-removed-plugin-alerts/ Tue, 20 Jun 2017 15:52:20 +0000 http://www.wpsecuritybloggers.com/uncategorized/new-in-wordfence-6-3-11-abandoned-and-removed-plugin-alerts https://www.wordfence.com/blog/2017/06/abandoned-removed-plugin-alerts/

This entry was posted in Wordfence, WordPress Security on June 20, 2017 by Dan Moen   0 Replies

On Thursday of last week, we released Wordfence 6.3.11 which included a really exciting new feature: we are now alerting you if you are running a plugin that either appears to be abandoned or has been removed from the WordPress.org plugin directory.

Making Changes to Fix Claimed Vulnerabilities in WordPress Plugins Can Have a Negative Impact https://www.pluginvulnerabilities.com/2017/06/19/making-changes-to-fix-claimed-vulnerabilities-in-wordpress-plugins-can-have-a-negative-impact/ Mon, 19 Jun 2017 22:33:51 +0000 http://www.wpsecuritybloggers.com/uncategorized/making-changes-to-fix-claimed-vulnerabilities-in-wordpress-plugins-can-have-a-negative-impact https://www.pluginvulnerabilities.com/2017/06/19/making-changes-to-fix-claimed-vulnerabilities-in-wordpress-plugins-can-have-a-negative-impact/

Fairly regularly we have found that reports of vulnerabilities in WordPress plugins turn out to be false. That doesn’t always stop developers from making change to fix them as if they really existed (at the same time developers often don’t fix real vulnerabilities). In many cases the change improves the plugin as the change doesn’t fix a vulnerability, but what

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Multi Feed Reader https://www.pluginvulnerabilities.com/2017/06/19/cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-multi-feed-reader/ Mon, 19 Jun 2017 15:32:11 +0000 http://www.wpsecuritybloggers.com/uncategorized/cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-multi-feed-reader https://www.pluginvulnerabilities.com/2017/06/19/cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-multi-feed-reader/

Recently a report was released claiming that a SQL injection vulnerability had been fixed in the latest version of the plugin Multi Feed Reader. In checking into that we found that while the change made in that version improved security, it looked like there may not have actually been a vulnerability in the code before. While looking in to that report we

WordPress Download Manager <= 2.9.51 – Authenticated Reflected Cross-Site Scripting (XSS) https://wpvulndb.com/vulnerabilities/8850 Mon, 19 Jun 2017 09:17:28 +0000 http://www.wpsecuritybloggers.com/uncategorized/wordpress-download-manager-2-9-51-authenticated-reflected-cross-site-scripting-xss https://wpvulndb.com/vulnerabilities/8850