Contributor: Paul Gilzow

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Blog: Vulnerable Plugins report for the week of September 13th, 2019

29 vulnerabilities this week, with 5 needing a fix (with some, possibly,  on the way). The first 3 vulnerabilities in the list are confirmations of possible vulnerabilities from last week. Search Exclude returns as last week’s fix wasn’t sufficient, LMS / VLE plugin LifterLMS has a serious vulnerability, Slimstat analytics returns for the third time […]

Blog: Vulnerable Plugins report for the week of September 6th, 2019

26 vulnerabilities this week, with 7 needing a fix (with some, possibly,  on the way). Formidable Forms appears for the fourth time in a month, so you may wish to look elsewhere. Landing Pages by SwiftCloud is still on the directory (but closed), but the latest commit has deleted everything for unknown security reasons. In […]

Blog: Vulnerable Plugins report for the week of August 30th, 2019

27 vulnerabilities this week, with 4 unfixed, but 1 being worked on. WooCommerce PayU India (PayUmoney – PayUbiz) , Instamojo for WooCommerce and DW Mega Menu are all closed and show no sign of a fix – Ovic Addon Toolkit is closed, but is being worked on. It is an arbitrary file deletion vulnerability, so […]

Blog: Vulnerable WordPress Plugins Report for the Week of August 23, 2019

Vulnerable Plugins There are eighteen issues this week, with two unfixed, and five where fixes have been committed but aren’t showing as available yet in the public repository.  The most critical this week are a Privilege Escalation vulnerability in WP Front End Profile (fix available), a CSV Injection vulnerability in Import Export WordPress Users (fix […]

Blog: Vulnerable WordPress Plugins Report for the Week of August 16, 2019

Vulnerable Plugins There are eighteen issues this week, with eight unfixed.  The most critical this week is an Arbitrary File Upload vulnerability via Cross-Site Request Forgery vulnerability in the Maintenance plugin. No fix is available as of this publishing date, and the plugin has been closed in the public repository. View this week’s vulnerable plugins […]

Blog: Vulnerable WordPress Plugins Report for the Week of August 9, 2019

Vulnerable Plugins There are eighteen issues this week, with three unfixed.  The most critical this week are Privilege Escalation vulnerabilities via Unauthenticated Option Update vulnerabilities in the Donations, Booking, Learning Courses, and Restaurant Reservations plugins (fixes available for all). View this week’s vulnerable plugins list. Other News I’m back! Huge thank you goes out to […]

Blog: Vulnerable Plugins report for the week of August 2nd, 2019

23 vulnerabilities this week, with 9 unfixed (some are commercial plugins where a change log isn’t easily available, some are dot org plugins are being worked on – see the notes column for more) View this week’s vulnerable plugins list        

Blog: Vulnerable Plugins report for the week of July 26th, 2019

27 vulnerabilities this week (which means so far in july we’ve had 105 issues), with 4 unfixed. It’s bad week for cache plugins, with WP Super Cache, WP fastest cache and breeze all having fixes. View this week’s vulnerable plugins list The WPCampus 2019 conference is currently happening! Check out the schedule for lots of […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 12, 2019

Vulnerable Plugins There are twenty nine issues this week, with only one unfixed.  The most critical this week are Authenticated (low privileged user) Arbitrary Options Update vulnerability in the One Click SSL plugin (fix available) and in the WPTF Hybrid Composer plugin (fix available), and multiple critical issues in the File Manager (by mndpsingh287) plugin […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 5, 2019

Vulnerable Plugins There are twenty four issues this week, with five unfixed.  The most critical this week is an unfixed Authenticated Arbitrary File Upload vulnerability with the MapsSVG Lite plugin and an unfixed Authenticate Remote Code Execution vulnerability in the Newsletter plugin. Both plugins have been closed in the public plugin repository. In addition, there […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 28, 2019

Vulnerable Plugins There are thirty four issues this week, with four unfixed.  The most critical this week is an unfixed Arbitrary Password Reset vulnerability with the Ultimate Members plugin.  Since this is a premium plugin, I do not have access to the source to verify.  According to the disclosure, the vendor has stated the fix […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 21, 2019

Vulnerable Plugins There are twenty issues this week, with three unfixed.  The most critical this week are an Arbitrary Settings Update vulnerability in Real Estate Manager (unfixed), a Cross-Site Request Forgery vulnerability that can lead to an Arbitrary File Upload in LionScripts: IP Blocker Lite (fix available), and a Cross-Site Request Forgery vulnerability that can […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 14, 2019

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week are two Arbitrary File Upload vulnerabilities in Finale WooCommerce Sale Countdown (fix available) and in LionScripts IP Blocker Lite (unfixed, remove immediately) plugins, an Authenticated Arbitrary File Upload vulnerability in Shipping Servientrega Woocommerce (unfixed, remove immediately), and an Authenticated […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 31, 2019

Vulnerable Plugins There are sixteen issues this week, with two unfixed.  The most critical this week are a privilege escalation issue in Slick Popups and an Unauthenticated Administrator Creation vulnerability in Convert Plus. Both issues were discovered by WordFence/Defiant. View this week’s vulnerable plugins list.

Blog: Vulnerable WordPress Plugins Report for the Week of May 24, 2019

Vulnerable Plugins There are fifteen issues this week, with five unfixed.  The most critical this week is in WPGraphQL which includes Create administrative users Post comments on articles bypassing article restrictions and global moderation Retrieve content of password-protected posts/articles/pages Retrieve full list of registered users in the platform Retrieve full list of media, comments, themes […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 17, 2019

Vulnerable Plugins There are nineteen issues this week, with five unfixed.  The most critical this week is the Sensitive Information Disclosure, Arbitrary File Deletion, and multiple Cross-Site Scripting vulnerabilities in Ultimate Member discovered by Sucri earlier this week. There was also a Local File Inclusion vulnerability disclosed in Photo Gallery by 10Web that does not […]

Blog: Vulnerable WordPress Plugins Report for the Week of April 26, 2019

Vulnerable Plugins There are nine issues this week, with five unfixed.  The two most critical are an Arbitrary File Upload vulnerability in the WooCommerce Checkout Manager plugin (closed in public repository) and an Authenticated Arbitrary Options Update in Free Adwords Campaigner plugin (also closed in the public repository). You should remove both plugins immediately until […]

Session: An introduction to information security and why you should care

By 2017, 7 billion sets of credentials had been leaked. Through 2018 and now into 2019, we’re nearing 9 billion sets. Everyone, regardless of their job or role is affected. Those of us in Higher Education are at a distinct risk because we’re of particular interest due to the number of high-valued assets we posses. …

Session: Composing continuously

When you have a handful of sites, updating plugins and core from the Web GUI, and managing your theme in GIT works.  But what happens when you have dozens if not hundreds of sites? How do you manage changes in an efficient, standard fashion, that minimizes downtime? Enter Composer, a package manager for PHP that…

Blog: Vulnerable WordPress Plugins Report for the Week of April 5, 2019

Vulnerable Plugins There are twenty-two items on the list this week, with six unfixed. The issue with the most visibility this week by far, was the controversy surrounding the Pipdig Power Pack (P3) plugin.  If you’re not familiar with what happened, I would suggest reading the write-up by WordFence and an extremely thorough write-up by […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 29, 2019

Vulnerable Plugins There are seventeen items on the list this week, with twelve unfixed. View this week’s vulnerable plugins list. Other Security News PuTTY released version 0.71 which addresses multiple security issues. PuTTY is often bundled with other software packages on Windows, so if you work on a Windows machine, double-check your PuTTY client version […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 22, 2019

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Unauthenticated Arbitrary wp_options import vulnerability in Easy WP SMTP, and the Unauthenticated SQL Injection vulnerability in Better Search both of which have been fixed in their most recent updates. View this week’s vulnerable plugins […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 15, 2019

Vulnerable Plugins There are eleven items on the list this week, with three unfixed. The most critical this week are the Sensitive Information Disclosure/Authenticated Arbitrary File Read vulnerability in Caldera Forms Pro, and the Privilege Escalation vulnerability in SiteGround Optimizer. Both issues were discovered by Sucuri. View this week’s vulnerable plugins list. Other WordPress Security […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 8, 2019

Vulnerable Plugins There are twenty items on the list this week, with the vast majority of them related to the Freemius framework disclosure that happened last week.  WPVulnDB also has a list of plugins that use Freemius that have been updated. There are three additional plugins in this week’s list that were updated for security […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of February 22 through March 1, 2019

Vulnerable Plugins Seventeen disclosures since last week, with four issues unfixed. View this week’s vulnerable plugins list. We’re likely to see many more plugins updated over the next week as Freemius, a freemium framework used in thousands of plugins and themes, recently patched an authenticated options updated vulnerability. They attempted to give developers some time […]

Blog: Vulnerable WordPress Plugins Report for the Week of February 1, 2019

Vulnerable Plugins Twelve disclosures since last week, with four issues unfixed. The most serious is an Arbitrary File Upload vulnerability in the plugin Slider by 10Web. It appears that the developer is trying to fix the issue, but as of right now (2:00PM CST) it remains unavailable in the public repository. You are encouraged to […]

Blog: Vulnerable WordPress Plugins Report for the Week of January 25, 2019

Vulnerable Plugins Three disclosures since last week, with all issues fixed. However, right as I was writing this post, WordFence released a post detailing multiple vulnerabilities in the plugin Total Donations that can lead to a complete site take-over. The plugin appears to be abandoned so there is a high chance it will not be […]

Blog: Vulnerable WordPress Plugins Report for the Week of December 14, 2018

Vulnerable Plugins Thirteen disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other WordPress Security News Version 5.0.1 was released earlier this week and corrects seven issues. If you have not upgraded to version 5.0 yet, fixes for all version back to 3.7 are available. Other Security News As a […]

Blog: Vulnerable WordPress Plugins Report for the Week of December 7, 2018

Vulnerable Plugins Fifteen disclosures since last week, with zero issues unfixed. View this week’s vulnerable plugins list. Four issues are critical and should be updated immediately: Redirection for versions 3.6.2 and earlier has a potential remote code execution vulnerability Toolset Type for versions 2.3.3 and earlier has a privilege escalation vulnerability WooCommerce for versions 3.4.5 […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 9, 2018

Vulnerable Plugins Eleven disclosures since last week, with three issues unfixed, one unknown. View this week’s vulnerable plugins list. Far and away the most serious issue this last week was a combined set of vulnerabilities in the WP GDPR Compliance plugin that could allow attackers to add themselves to a site as an administrator and/or install […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of October 6 through October 19, 2018

Vulnerable Plugins There were ten disclosures over the last two weeks, with three issues unfixed. The most serious is an arbitrary file upload vulnerability in the csv2wpec-coupon plugin, which is related to the recently disclosed vulnerability in the Blueimp JQuery File Upload Plugin package. However, there are less than 10 sites with the csv2wpec-coupon so it’s unlikely […]

Blog: Vulnerable WordPress Plugins Report for the Week of October 5, 2018

Vulnerable Plugins Seven disclosures since last week, with four issues unfixed. View this week’s vulnerable plugins list. Other WordPress News Earlier this week, the WordPress core team announced the release date for WordPress version 5.0: November 19, 2018. This means the 4.9.9 release has been shelved unless the core team is unable to release 5.0 before the […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 28, 2018

Vulnerable Plugins Eight disclosures since last week, with two issues unfixed, and two unknown. View this week’s vulnerable plugins list. Other WordPress Security News There were several reports this week that the United Nation’s WordPress site was leaking “thousands or resumes” (The Register has since updated their story after I contacted them).   As it turns out, […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 21, 2018

Vulnerable Plugins Ten disclosures since last week, with four issues unfixed, the most serious being an Authenticated Arbitrary File Upload vulnerability in Advanced Contact form 7 DB. View this week’s vulnerable plugins list. Other Security News Specifics of the Remote Code Execution vulnerability in Moodle were disclosed earlier this week. The disclosure includes Proof-of-Concept code so […]

Blog: Vulnerable WordPress Plugins Report for the Week of August 31, 2018

Vulnerable Plugins Nine disclosures since last week, with four issues unfixed. Additionally, Ninja Forms has released version 3.3.14 which addresses the CSV Injection vulnerability disclosed last week. View this week’s vulnerable plugins list. Other Security News Joomla! released version 3.8.12 which addressed three security issues: potential file upload vulnerability, store cross-site scripting vulnerability, and an ACL Violation in custom […]

Blog: Vulnerable WordPress Plugins Report for the Week of August 24, 2018

Vulnerable Plugins Five disclosures since last week, with four issues unfixed, the most serious being an unfixed CSV Injection vulnerability in Ninja Forms. View this week’s vulnerable plugins list. Other Security News phpMyAdmin released a patch earlier this week that addresses an authenticated, stored cross-site scripting issue.  Similarly, the Apache Foundation released a critical patch earlier […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of July 27 through August 10, 2018

Vulnerable Plugins Somehow (thankfully) there has been only one public disclosure over the last two weeks: an Unauthenticated Arbitrary File Upload vulnerability in the Ultimate Member plugin that has been patched with version 2.0.23. View this week’s vulnerable plugins list. An Unauthenticated Arbitrary File Upload is a critical vulnerability, so you should update this plugin […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 26, 2018

Vulnerable Plugins Four disclosures since last week, with one issue unfixed, one unsure but assumed unfixed. View this week’s vulnerable plugins list. Yes, I know it’s not Friday, but I’ll be out of town tomorrow and wanted to go ahead and get the report out. I’ll also be out of town next Friday as well […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of July 9 through July 20, 2018

Vulnerable Plugins Eight disclosures over the last two week, with five issues unfixed, one critical. An authenticated arbitrary file upload vulnerability has been identified in the MapSVGLite plugin that remains unfixed. You should remove the plugin as soon as possible until the issue has been resolved. View this week’s vulnerable plugins list. Other WordPress News The […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of June 22 through July 8, 2018

Vulnerable Plugins Ten disclosures over the last two week, with three issues unfixed. View this week’s vulnerable plugins list. Other WordPress Security News The big news last week and into this week was the disclosure of an unpatched arbitrary file deletion vulnerability in WordPress core.  Luckily, the vulnerability required a user to have the ability to […]

Blog: PSA: Arbitrary File Deletion vulnerability in all current versions of WordPress

Update 20180705: version 4.9.7 has been released and addresses the issue below.  RipsTech (static analysis for PHP) yesterday disclosed an arbitrary file deletion vulnerability in all versions of WordPress.  The vulnerability requires a role of Author or greater in order to exploit.  The exploit allows an authenticated user to delete any file on the server that […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 22, 2018

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other Security News Including this one only because I never imagined someone being held at gunpoint to steal a domain name Sherman Hopkins, Jr., 43, from Cedar Rapids, Iowa, broke into the victim’s house, held the victim at […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 15, 2018

Vulnerable Plugins Ten disclosures since last week, with two issues unfixed. View this week’s vulnerable plugins list. Other Security Came across a fun little security testing playground.  Allows you to spin up multiple vulnerable applications to practice security concepts and exploits and provide first-hand experience.  Each one has an explanation of the vulnerabilities in the […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 7, 2018

Vulnerable Plugins Seventeen disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other WordPress Security Defiant released a whitepaper earlier this week covering a new WordPress malware they’ve been tracking and have dubbed “BabaYaga”. Ryan Dewhurst (@ethicalhack3r and contributor to WPScan) released a report covering how many sites of the […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 1, 2018

Vulnerable Plugins Ten disclosures since last week, with five issues unfixed. View this week’s vulnerable plugins list. Other Security News As I mentioned last week, a new malware, dubbed VPNFilter, was discovered to be targeting home/SOHO network devices.  The FBI has released an advisory recommending all owners of routers (which is just about everyone with […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 25, 2018

Vulnerable Plugins Six disclosures since last week, with three issues still unfixed. View this week’s vulnerable plugins list. WordPress Security New WordFence released an interesting report on Tuesday that showcased an attack whereby hackers used compromised WordPress.com sites to install backdoor plugins on self-hosted WordPress sites via jetpack’s remote management capabilities.  If you use a […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 18, 2018

Vulnerable Plugins Eleven disclosures since last week, with one critical unfixed. KingComposer has an Arbitrary File Upload vulnerability in its current version. You should remove the plugin until the author has fixed the issue. View this week’s vulnerable plugins list. Other WordPress News Version 4.9.6 of WordPress was released yesterday.  While many (myself included) assumed this was […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 11, 2018

Vulnerable Plugins Three disclosures since last week, with all three issues unfixed.  WP Google Drive has not been updated in six years and should be replaced, if you haven’t already. View this week’s vulnerable plugins list. Other WordPress News The release candidate for version 4.9.6 is now available.  The tentative official release date has been moved […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 4, 2018

Vulnerable Plugins Two disclosures since last week, with zero issues unfixed. View this week’s vulnerable plugins list. Other WordPress News Version 4.9.6 is now in beta, with a tentative official release date of May 15th.  4.9.6 contains 10 bug fixes, and 34 features/enhancements, most of which revolve around privacy and personal data tools to assist […]

Blog: Vulnerable WordPress Plugins Report for the Week of April 27, 2018

Vulnerable Plugins Twelve disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other Security News Cross-Site Request Forgery vulnerability disclosed in phpMyAdmin 4.8.0 and earlier TPLink Router TLWR740N Remote Code Execution vulnerability disclosed Unvalidated Redirect in Shibboleth component of Blackboard Learn  

Session: The what and why of WordPress security

I’m sure you’ve read at least one “Guide to WordPress Security” or “Top Ten Tips to Keep Your WordPress Site Safe” articles. Maybe you even implemented a few, or all, of the suggestions.  But did you understand why certain items were suggested, or what exactly they accomplished?  In this session will discuss the most common…

Blog: Vulnerable WordPress Plugins Report for the Week of April 13, 2018

Vulnerable Plugins Nine disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Apologies for not getting this report out on Friday. I had other issues pop up that required my attention and didn’t leave me with enough time to complete the report on Friday.  Speaking of which, my responsibilities at […]

Blog: Vulnerable WordPress Plugins Report for the Week of April 6, 2018

Vulnerable Plugins Three disclosures since last week, with one issue unfixed. View this week’s vulnerable plugins list. Other WordPress News As previously mentioned, v4.9.5 was released on April 3rd.  While it was originally announced as a maintenance release, it does contain three security fixes.   If you haven’t already, you should get the 4.9.5 update into […]

Session: Access Denied: Keeping Yourself off an Attacker’s Radar

Google’s recent Transparency Report shows that nearly half a million websites are now hosting malware, an increase of 160 percent from this time last year. Higher education websites are particularly attractive to attackers, offering access to large amounts of bandwidth and broad network space. In this session, we’ll explore how attackers find vulnerable WordPress sites…

Blog: Vulnerable WordPress Plugins Report for the Week of March 30, 2018

Vulnerable Plugins Seven disclosures since last week, with one issue unfixed. View this week’s vulnerable plugins list. Other WordPress News As noted last week, WordPress version 4.9.5 is scheduled for release on April 3rd. Originally, it was to include administrative dashboard call-outs to try-out Gutenberg, but those have now been removed: the Try Gutenberg callout will ultimately not land […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 23, 2018

Vulnerable Plugins Three disclosures since last week, with two issues unfixed. View this week’s vulnerable plugins list. Other WordPress News Version 4.9.5 of WordPress is now in beta and has been scheduled for release on April 3rd. While 4.9.5 will be a maintenance release, it will interestingly include administrative dashboard call-outs to try-out Gutenberg (h/t […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 16, 2018

Vulnerable Plugins Thirteen disclosures since last week, with four issues unfixed. View this week’s vulnerable plugins list. As with previous weeks, there are a few fairly popular plugins in this week’s list: Duplicator – WordPress Migration Plugin, WP Job Manager (both have updates available), Limit Login Attempts Reloaded, and Limit Login Attempts (no updates available).  Make sure […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 9, 2018

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week’s list: iThemes Security, and WP All Import.  Make sure to get these updates into your change management cycle as soon as possible.

Blog: Vulnerable WordPress Plugins Report for the Week of March 2, 2018

Vulnerable Plugins Seven disclosures since last week, with only one issue unfixed. View this week’s vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week’s list: MainWP-Child, and WP Fastest Cache.  Make sure to get these updates into your change management cycle as soon as possible. Other Security News […]

Blog: Vulnerable WordPress Plugins Report for the Week of February 23, 2018

Vulnerable Plugins Nine disclosures since last week, with all issues fixed! View this week’s vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week’s list: MailChimp for WordPress, WooCommerce, and Ninja Forms.  Make sure to get these updates into your change management cycle as soon as possible.

Blog: Version 4.9.3, Version 4.9.4 and the Denial of Service Vulnerability

As I mentioned on Friday, WordPress version 4.9.3 was released as scheduled Monday mid-day. If you have auto-updates enabled, you might have been surprised to see another WordPress update (4.9.4) come through Tuesday morning around 10am (CST). It seems there was a severe bug in 4.9.3 that caused the auto update feature to break in some sites […]

Blog: Vulnerable WordPress Plugins Report for the Week of February 2, 2018

Vulnerable Plugins Seven disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other WordPress News WordPress core announced on Tuesday version 4.9.3 will be delayed until Monday, February 5th.  So now you know what you’re doing on Monday. 😉 Other Security News Also on Tuesday, Cisco disclosed a vulnerability in the […]

Blog: Vulnerable WordPress Plugins Report for the Week of January 26, 2018

Vulnerable Plugins Eighteen disclosures since last week, with five issues unfixed. Plus two disclosures (Ninja Popups) that I missed last week. View this week’s vulnerable plugins list. WPCampus Online Don’t forget: the WPCampus Online conference is this Tuesday, January 30 starting at 9:00 A.M. CST.

Blog: Vulnerable WordPress Plugins Report for the Week of January 12, 2018

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. WordPress Security News Version 4.9.2 was released on Tuesday. It is a security and maintenance release and addresses a Cross-Site Scripting vulnerability and 21 other bugs.  If you do not have auto-updates enabled, definitely get the update into […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of December 29, 2017 and January 5, 2018

Vulnerable Plugins Ten disclosures over the last two weeks, with four issues unfixed. View this week’s vulnerable plugins list. I hope everyone had a wonderful and relaxing holiday break. Unfortunately, vulnerabilities and disclosures did not rest. Two critical situations were disclosed during that time: an Unauthenticated Arbitrary File Upload discovered in the LearnDash LMS plugin by […]

Blog: Vulnerable WordPress Plugins Report for the Week of December 22, 2017

Vulnerable Plugins Twenty-six disclosures this week, with ten issues unfixed. View this week’s vulnerable plugins list. The most concerning disclosure this week was the discovery by Wordfence that the plugin Captcha (300K installs) contained backdoor code.  In looking through the repository, it appears the code was introduced in v4.3.6 of the plugin.  Version 4.4.5 was released earlier […]

Blog: Vulnerable WordPress Plugins Report for the Week of December 15, 2017

Vulnerable Plugins Seven disclosures this week, with five issues unfixed. View this week’s vulnerable plugins list. Other Security News I’ve discussed the DorkBot service from UT Austin a couple of times now. I recently had the pleasure to chat with Andrew Scheifele (who had a hand in the DorkBot project) about how the service has […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of November 24 and December 1, 2017

Vulnerable Plugins Fifteen disclosures over the last two weeks, with eleven issues unfixed. View this week’s vulnerable plugins list. I hope everyone in the State’s had a great Thanksgiving last week. Many of you this week, hopefully, are attending WordCamp US  in beautiful Nashville. If you are, please be sure to say “hello” to our colleagues […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 17, 2017

Vulnerable Plugins Twenty-two disclosures this week, with ten issues unfixed. View this week’s vulnerable plugins list. The critical updates you should be aware of from this week’s list are in Formidable Forms, discovered by Klikki Oy, and in WP Support Plus Responsive Ticket System, discovered by Robert Mathews. If you are using either of these plugins, please make […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 10, 2017

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugins list. The most interesting disclosure this week, in my opinion, is that for the Animated Weather Widget plugin reported by WordFence.  While the plugin itself did not contain a vulnerability, the plugin generated an iframe that contained content from weatherfor.us […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 3, 2017

Vulnerable Plugins Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet). View this week’s vulnerable plugins list. The largest disclosure this week was definitely the SQL Injection vulnerability patched in v4.8.3 of core. The patch even got its own haiku (courtesy of pagely.com): WordPress Halloween. We […]

Blog: Please Update to WordPress v4.8.3 Immediately

Version 4.8.3 was just released moments ago. It address a SQL Injection issue discovered by Anthony Ferrara‏  IMPORTANT: I will be disclosing a massive WP SQLi vulnerability soon. I have no confidence WP will fix correctly and hence no choice but FD — Anthony Ferrara (@ircmaxell) October 26, 2017 Confirmation from Anthony  Yes. I will […]

Blog: Vulnerable WordPress Plugins Report for the Week of October 27, 2017

Vulnerable Plugins Nine disclosures this week, with five issues unfixed. View this week’s vulnerable plugins list. The largest disclosure this week was most likely the SQL Injection combined with Object Injection vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin disclosed by Wordfence. At the time of discovery, the vulnerability was […]

Blog: Vulnerable WordPress Plugins Report for the Week of October 6, 2017

Vulnerable Plugins Fourteen disclosures this week, with six issues unfixed, with three of those critical. View this week’s vulnerable plugins list. The big news this last week, at least in terms of coverage, was the disclosure by Wordfence of three plugins vulnerable to Object Injection vulnerabilities.  Luckily, all three plugins have been fixed with updates […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 29, 2017

Vulnerable Plugins Eleven disclosures this week, with two issues unfixed, both critical. Both have been removed from the public repository. View this week’s vulnerable plugins list. As a point of clarification, since there seems to be some confusion: I am not the discoverer of the vulnerabilities listed in the spreadsheet.  There is a column labeled […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 22, 2017

Vulnerable Plugins Fourteen disclosures this week, with five issues unfixed, and one that is critical. View this week’s vulnerable plugins list. The critical disclosure this week is an Arbitrary File Upload vulnerability in the plugin All Post Contact Form.  It appears that the plugin doesn’t do any checking on the file type that is being […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 15, 2017

Vulnerable Plugins Eight disclosures this week, with two issues unfixed, and two where I’m not sure. View this week’s vulnerable plugins list. The two I’m unsure of this week are with iTheme’s Backupbuddy plugin.  Backupbuddy is a paid plugin, so I do not have access to the source files.  The last changelog mention I can […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 8, 2017

Vulnerable Plugins Seventeen disclosures this week, with eight issues unfixed. View this week’s vulnerable plugins list. Other Security News The big disclosure this week was the breach at Equifax. If you haven’t head about it yet, I strongly recommend you read the write up by Brian Krebs over at krebsonsecurity.com. The TL;DR is Equifax, one […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 1, 2017

Vulnerable Plugins Ten disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. The disclosure with the most visibility this week was in WooCommerce Product Vendors, where researchers from SiteLock discovered an unauthenticated, reflected Cross-Site Scripting vulnerability.  Automattic was quick to patch the vulnerability and promptly released version 2.0.40. Also disclosed this […]

Blog: Vulnerable WordPress Plugins/Themes Report for the Week of August 25, 2017

Vulnerable Plugins/Themes Seven disclosures this week, with zero issues unfixed. YAY! View week’s vulnerable plugin list.   This week, let’s look at the Authenticated, Unauthorized Information Disclosure vulnerability in version 1.1.0 of Advanced Contact Form 7 DB plugin, as you may be asking how there can be a problem if someone is already authenticated.  Authentication […]

Blog: Vulnerable WordPress Plugins/Themes Report for the Week of August 18, 2017

Vulnerable Plugins/Themes Eleven disclosures this week, with three issues unfixed. View week’s vulnerable plugin list. Going to highlight a couple from this week. The first is the discovery by researcher Lenon Leite who discovered a SQL Injection vulnerability in the plugin Link Library.  Just like with last week’s SQL Injection examples, this vulnerability requires an authenticated user […]

Blog: Vulnerable WordPress Plugins/Themes Report for the Week of August 11, 2017

Vulnerable Plugins/Themes Eleven disclosures this week, with two issues unfixed. View this week’s vulnerable plugin list. We have one theme joining the list this week: GamePlan – Event and Gym Fitness by cactusthemes.com.  I mention it specifically because while I doubt most of us are using a gym-based theme (though possibly for a student rec […]

Blog: Vulnerable WordPress Plugins Report for the week of August 4, 2017

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. One of the disclosures is actually from last week that I intended to include but forgot.  I want to bring attention to it because it highlights how vulnerabilities can, and often are, stacked.  Wordfence recently wrote about how attackers […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 28, 2017

Vulnerable Plugins It was a busy week while I was away.  Twenty disclosures, with eleven issues unfixed.  In concerns to both Formcraft Form Builder, and Ultimate Affiliate Pro, since they are paid plugins, I do not have access to the source code in order to verify the disclosures.  In addition, I’m assuming the vulnerabilities still […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 13, 2017

Nope, today is not friday (sorry). I’m going to be out-of-town tomorrow so I’m doing this week’s report a day early.  I’ll also be out next week; as such, there will be no report next week on the 21st.   If there are numerous disclosures while I’m out, I’ll do a report shortly after I […]

Blog: Vulnerable WordPress Plugins Report for the week of July 7, 2017

Vulnerable Plugins Only four plugins with disclosed vulnerabilities this week, none of which remain unpatched! That’s the fewest number of disclosures in a week since I started doing this report.  You’ll notice WP Statistics made a repeat appearance after being on last week’s report for a SQL Injection vulnerability.  This week’s appearance is due to an Authenticated […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 30, 2017

Vulnerable Plugins Eight plugins with disclosed vulnerabilities this week, five of which remain unpatched. The most serious is FormCraft which contains two unfixed SQL Injection vulnerabilities.  The packetstorm post mentions the vulnerability being in “FormCraft Basic” but that the plugin directory for google dorking is “formcraft”. The version in the public repository definitely contains the vulnerability, […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 23, 2017

Vulnerable Plugins This week’s list is probably one of the shortest since I started doing these reports: only 6 plugins, with 3 having unfixed vulnerabilities.  Unfortunately, one of them is a repeat offender: Photo Gallery by WD, which made an appearance in the May 5, 2017 report for a SQL Injection vulnerability.  This time around, […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 16, 2017

Introduction The weekly list is a collection of plugins and/or themes that have had vulnerabilities disclosed within the last week. I’ve historically created these weekly vulnerable plugin reports for the WordPress admins at the University of Missouri campus as a way to help them identify plugins and themes that need to be updated quickly. I began […]

Podcast: Access Denied - WordPress Security

Whenever you talk about WordPress, someone brings up WordPress security. Your boss is going to bring it up, your clients are going to bring it up, and there’s a decent chance you’ve had at least one night’s sleep ruined thinking about it. It’s one of those things that makes you feel paranoid: Am I doing […]