Contributor: Paul Gilzow

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Blog: Vulnerable WordPress Plugins Report for the Week of December 7, 2018

Vulnerable Plugins Fifteen disclosures since last week, with zero issues unfixed. View this week’s vulnerable plugins list. Four issues are critical and should be updated immediately: Redirection for versions 3.6.2 and earlier has a potential remote code execution vulnerability Toolset Type for versions 2.3.3 and earlier has a privilege escalation vulnerability WooCommerce for versions 3.4.5 […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 9, 2018

Vulnerable Plugins Eleven disclosures since last week, with three issues unfixed, one unknown. View this week’s vulnerable plugins list. Far and away the most serious issue this last week was a combined set of vulnerabilities in the WP GDPR Compliance plugin that could allow attackers to add themselves to a site as an administrator and/or install […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of October 6 through October 19, 2018

Vulnerable Plugins There were ten disclosures over the last two weeks, with three issues unfixed. The most serious is an arbitrary file upload vulnerability in the csv2wpec-coupon plugin, which is related to the recently disclosed vulnerability in the Blueimp JQuery File Upload Plugin package. However, there are less than 10 sites with the csv2wpec-coupon so it’s unlikely […]

Blog: Vulnerable WordPress Plugins Report for the Week of October 5, 2018

Vulnerable Plugins Seven disclosures since last week, with four issues unfixed. View this week’s vulnerable plugins list. Other WordPress News Earlier this week, the WordPress core team announced the release date for WordPress version 5.0: November 19, 2018. This means the 4.9.9 release has been shelved unless the core team is unable to release 5.0 before the […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 28, 2018

Vulnerable Plugins Eight disclosures since last week, with two issues unfixed, and two unknown. View this week’s vulnerable plugins list. Other WordPress Security News There were several reports this week that the United Nation’s WordPress site was leaking “thousands or resumes” (The Register has since updated their story after I contacted them).   As it turns out, […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 21, 2018

Vulnerable Plugins Ten disclosures since last week, with four issues unfixed, the most serious being an Authenticated Arbitrary File Upload vulnerability in Advanced Contact form 7 DB. View this week’s vulnerable plugins list. Other Security News Specifics of the Remote Code Execution vulnerability in Moodle were disclosed earlier this week. The disclosure includes Proof-of-Concept code so […]

Blog: Vulnerable WordPress Plugins Report for the Week of August 31, 2018

Vulnerable Plugins Nine disclosures since last week, with four issues unfixed. Additionally, Ninja Forms has released version 3.3.14 which addresses the CSV Injection vulnerability disclosed last week. View this week’s vulnerable plugins list. Other Security News Joomla! released version 3.8.12 which addressed three security issues: potential file upload vulnerability, store cross-site scripting vulnerability, and an ACL Violation in custom […]

Blog: Vulnerable WordPress Plugins Report for the Week of August 24, 2018

Vulnerable Plugins Five disclosures since last week, with four issues unfixed, the most serious being an unfixed CSV Injection vulnerability in Ninja Forms. View this week’s vulnerable plugins list. Other Security News phpMyAdmin released a patch earlier this week that addresses an authenticated, stored cross-site scripting issue.  Similarly, the Apache Foundation released a critical patch earlier […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of July 27 through August 10, 2018

Vulnerable Plugins Somehow (thankfully) there has been only one public disclosure over the last two weeks: an Unauthenticated Arbitrary File Upload vulnerability in the Ultimate Member plugin that has been patched with version 2.0.23. View this week’s vulnerable plugins list. An Unauthenticated Arbitrary File Upload is a critical vulnerability, so you should update this plugin […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 26, 2018

Vulnerable Plugins Four disclosures since last week, with one issue unfixed, one unsure but assumed unfixed. View this week’s vulnerable plugins list. Yes, I know it’s not Friday, but I’ll be out of town tomorrow and wanted to go ahead and get the report out. I’ll also be out of town next Friday as well […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of July 9 through July 20, 2018

Vulnerable Plugins Eight disclosures over the last two week, with five issues unfixed, one critical. An authenticated arbitrary file upload vulnerability has been identified in the MapSVGLite plugin that remains unfixed. You should remove the plugin as soon as possible until the issue has been resolved. View this week’s vulnerable plugins list. Other WordPress News The […]

Video: The what and why of WordPress security

I’m sure you’ve read at least one “Guide to WordPress Security” or “Top Ten Tips to Keep Your WordPress Site Safe” articles. Maybe you even implemented a few, or all, of the suggestions. But did you understand why certain items were suggested, or what exactly they accomplished? In this session will discuss the most common […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of June 22 through July 8, 2018

Vulnerable Plugins Ten disclosures over the last two week, with three issues unfixed. View this week’s vulnerable plugins list. Other WordPress Security News The big news last week and into this week was the disclosure of an unpatched arbitrary file deletion vulnerability in WordPress core.  Luckily, the vulnerability required a user to have the ability to […]

Blog: PSA: Arbitrary File Deletion vulnerability in all current versions of WordPress

Update 20180705: version 4.9.7 has been released and addresses the issue below.  RipsTech (static analysis for PHP) yesterday disclosed an arbitrary file deletion vulnerability in all versions of WordPress.  The vulnerability requires a role of Author or greater in order to exploit.  The exploit allows an authenticated user to delete any file on the server that […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 22, 2018

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other Security News Including this one only because I never imagined someone being held at gunpoint to steal a domain name Sherman Hopkins, Jr., 43, from Cedar Rapids, Iowa, broke into the victim’s house, held the victim at […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 15, 2018

Vulnerable Plugins Ten disclosures since last week, with two issues unfixed. View this week’s vulnerable plugins list. Other Security Came across a fun little security testing playground.  Allows you to spin up multiple vulnerable applications to practice security concepts and exploits and provide first-hand experience.  Each one has an explanation of the vulnerabilities in the […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 7, 2018

Vulnerable Plugins Seventeen disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other WordPress Security Defiant released a whitepaper earlier this week covering a new WordPress malware they’ve been tracking and have dubbed “BabaYaga”. Ryan Dewhurst (@ethicalhack3r and contributor to WPScan) released a report covering how many sites of the […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 1, 2018

Vulnerable Plugins Ten disclosures since last week, with five issues unfixed. View this week’s vulnerable plugins list. Other Security News As I mentioned last week, a new malware, dubbed VPNFilter, was discovered to be targeting home/SOHO network devices.  The FBI has released an advisory recommending all owners of routers (which is just about everyone with […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 25, 2018

Vulnerable Plugins Six disclosures since last week, with three issues still unfixed. View this week’s vulnerable plugins list. WordPress Security New WordFence released an interesting report on Tuesday that showcased an attack whereby hackers used compromised WordPress.com sites to install backdoor plugins on self-hosted WordPress sites via jetpack’s remote management capabilities.  If you use a […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 18, 2018

Vulnerable Plugins Eleven disclosures since last week, with one critical unfixed. KingComposer has an Arbitrary File Upload vulnerability in its current version. You should remove the plugin until the author has fixed the issue. View this week’s vulnerable plugins list. Other WordPress News Version 4.9.6 of WordPress was released yesterday.  While many (myself included) assumed this was […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 11, 2018

Vulnerable Plugins Three disclosures since last week, with all three issues unfixed.  WP Google Drive has not been updated in six years and should be replaced, if you haven’t already. View this week’s vulnerable plugins list. Other WordPress News The release candidate for version 4.9.6 is now available.  The tentative official release date has been moved […]

Blog: Vulnerable WordPress Plugins Report for the Week of May 4, 2018

Vulnerable Plugins Two disclosures since last week, with zero issues unfixed. View this week’s vulnerable plugins list. Other WordPress News Version 4.9.6 is now in beta, with a tentative official release date of May 15th.  4.9.6 contains 10 bug fixes, and 34 features/enhancements, most of which revolve around privacy and personal data tools to assist […]

Blog: Vulnerable WordPress Plugins Report for the Week of April 27, 2018

Vulnerable Plugins Twelve disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other Security News Cross-Site Request Forgery vulnerability disclosed in phpMyAdmin 4.8.0 and earlier TPLink Router TLWR740N Remote Code Execution vulnerability disclosed Unvalidated Redirect in Shibboleth component of Blackboard Learn  

Blog: Vulnerable WordPress Plugins Report for the Week of April 13, 2018

Vulnerable Plugins Nine disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Apologies for not getting this report out on Friday. I had other issues pop up that required my attention and didn’t leave me with enough time to complete the report on Friday.  Speaking of which, my responsibilities at […]

Blog: Vulnerable WordPress Plugins Report for the Week of April 6, 2018

Vulnerable Plugins Three disclosures since last week, with one issue unfixed. View this week’s vulnerable plugins list. Other WordPress News As previously mentioned, v4.9.5 was released on April 3rd.  While it was originally announced as a maintenance release, it does contain three security fixes.   If you haven’t already, you should get the 4.9.5 update into […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 30, 2018

Vulnerable Plugins Seven disclosures since last week, with one issue unfixed. View this week’s vulnerable plugins list. Other WordPress News As noted last week, WordPress version 4.9.5 is scheduled for release on April 3rd. Originally, it was to include administrative dashboard call-outs to try-out Gutenberg, but those have now been removed: the Try Gutenberg callout will ultimately not land […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 23, 2018

Vulnerable Plugins Three disclosures since last week, with two issues unfixed. View this week’s vulnerable plugins list. Other WordPress News Version 4.9.5 of WordPress is now in beta and has been scheduled for release on April 3rd. While 4.9.5 will be a maintenance release, it will interestingly include administrative dashboard call-outs to try-out Gutenberg (h/t […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 16, 2018

Vulnerable Plugins Thirteen disclosures since last week, with four issues unfixed. View this week’s vulnerable plugins list. As with previous weeks, there are a few fairly popular plugins in this week’s list: Duplicator – WordPress Migration Plugin, WP Job Manager (both have updates available), Limit Login Attempts Reloaded, and Limit Login Attempts (no updates available).  Make sure […]

Blog: Vulnerable WordPress Plugins Report for the Week of March 9, 2018

Vulnerable Plugins Five disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week’s list: iThemes Security, and WP All Import.  Make sure to get these updates into your change management cycle as soon as possible.

Blog: Vulnerable WordPress Plugins Report for the Week of March 2, 2018

Vulnerable Plugins Seven disclosures since last week, with only one issue unfixed. View this week’s vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week’s list: MainWP-Child, and WP Fastest Cache.  Make sure to get these updates into your change management cycle as soon as possible. Other Security News […]

Blog: Vulnerable WordPress Plugins Report for the Week of February 23, 2018

Vulnerable Plugins Nine disclosures since last week, with all issues fixed! View this week’s vulnerable plugins list. Please note there are a couple of fairly popular plugins in this week’s list: MailChimp for WordPress, WooCommerce, and Ninja Forms.  Make sure to get these updates into your change management cycle as soon as possible.

Blog: Version 4.9.3, Version 4.9.4 and the Denial of Service Vulnerability

As I mentioned on Friday, WordPress version 4.9.3 was released as scheduled Monday mid-day. If you have auto-updates enabled, you might have been surprised to see another WordPress update (4.9.4) come through Tuesday morning around 10am (CST). It seems there was a severe bug in 4.9.3 that caused the auto update feature to break in some sites […]

Blog: Vulnerable WordPress Plugins Report for the Week of February 2, 2018

Vulnerable Plugins Seven disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. Other WordPress News WordPress core announced on Tuesday version 4.9.3 will be delayed until Monday, February 5th.  So now you know what you’re doing on Monday. 😉 Other Security News Also on Tuesday, Cisco disclosed a vulnerability in the […]

Blog: Vulnerable WordPress Plugins Report for the Week of January 26, 2018

Vulnerable Plugins Eighteen disclosures since last week, with five issues unfixed. Plus two disclosures (Ninja Popups) that I missed last week. View this week’s vulnerable plugins list. WPCampus Online Don’t forget: the WPCampus Online conference is this Tuesday, January 30 starting at 9:00 A.M. CST.

Blog: Vulnerable WordPress Plugins Report for the Week of January 12, 2018

Vulnerable Plugins Six disclosures since last week, with three issues unfixed. View this week’s vulnerable plugins list. WordPress Security News Version 4.9.2 was released on Tuesday. It is a security and maintenance release and addresses a Cross-Site Scripting vulnerability and 21 other bugs.  If you do not have auto-updates enabled, definitely get the update into […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of December 29, 2017 and January 5, 2018

Vulnerable Plugins Ten disclosures over the last two weeks, with four issues unfixed. View this week’s vulnerable plugins list. I hope everyone had a wonderful and relaxing holiday break. Unfortunately, vulnerabilities and disclosures did not rest. Two critical situations were disclosed during that time: an Unauthenticated Arbitrary File Upload discovered in the LearnDash LMS plugin by […]

Blog: Vulnerable WordPress Plugins Report for the Week of December 22, 2017

Vulnerable Plugins Twenty-six disclosures this week, with ten issues unfixed. View this week’s vulnerable plugins list. The most concerning disclosure this week was the discovery by Wordfence that the plugin Captcha (300K installs) contained backdoor code.  In looking through the repository, it appears the code was introduced in v4.3.6 of the plugin.  Version 4.4.5 was released earlier […]

Blog: Vulnerable WordPress Plugins Report for the Week of December 15, 2017

Vulnerable Plugins Seven disclosures this week, with five issues unfixed. View this week’s vulnerable plugins list. Other Security News I’ve discussed the DorkBot service from UT Austin a couple of times now. I recently had the pleasure to chat with Andrew Scheifele (who had a hand in the DorkBot project) about how the service has […]

Blog: Vulnerable WordPress Plugins Report for the Weeks of November 24 and December 1, 2017

Vulnerable Plugins Fifteen disclosures over the last two weeks, with eleven issues unfixed. View this week’s vulnerable plugins list. I hope everyone in the State’s had a great Thanksgiving last week. Many of you this week, hopefully, are attending WordCamp US  in beautiful Nashville. If you are, please be sure to say “hello” to our colleagues […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 17, 2017

Vulnerable Plugins Twenty-two disclosures this week, with ten issues unfixed. View this week’s vulnerable plugins list. The critical updates you should be aware of from this week’s list are in Formidable Forms, discovered by Klikki Oy, and in WP Support Plus Responsive Ticket System, discovered by Robert Mathews. If you are using either of these plugins, please make […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 10, 2017

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugins list. The most interesting disclosure this week, in my opinion, is that for the Animated Weather Widget plugin reported by WordFence.  While the plugin itself did not contain a vulnerability, the plugin generated an iframe that contained content from weatherfor.us […]

Blog: Vulnerable WordPress Plugins Report for the Week of November 3, 2017

Vulnerable Plugins Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet). View this week’s vulnerable plugins list. The largest disclosure this week was definitely the SQL Injection vulnerability patched in v4.8.3 of core. The patch even got its own haiku (courtesy of pagely.com): WordPress Halloween. We […]

Blog: Please Update to WordPress v4.8.3 Immediately

Version 4.8.3 was just released moments ago. It address a SQL Injection issue discovered by Anthony Ferrara‏  IMPORTANT: I will be disclosing a massive WP SQLi vulnerability soon. I have no confidence WP will fix correctly and hence no choice but FD — Anthony Ferrara (@ircmaxell) October 26, 2017 Confirmation from Anthony  Yes. I will […]

Blog: Vulnerable WordPress Plugins Report for the Week of October 27, 2017

Vulnerable Plugins Nine disclosures this week, with five issues unfixed. View this week’s vulnerable plugins list. The largest disclosure this week was most likely the SQL Injection combined with Object Injection vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin disclosed by Wordfence. At the time of discovery, the vulnerability was […]

Blog: Vulnerable WordPress Plugins Report for the Week of October 6, 2017

Vulnerable Plugins Fourteen disclosures this week, with six issues unfixed, with three of those critical. View this week’s vulnerable plugins list. The big news this last week, at least in terms of coverage, was the disclosure by Wordfence of three plugins vulnerable to Object Injection vulnerabilities.  Luckily, all three plugins have been fixed with updates […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 29, 2017

Vulnerable Plugins Eleven disclosures this week, with two issues unfixed, both critical. Both have been removed from the public repository. View this week’s vulnerable plugins list. As a point of clarification, since there seems to be some confusion: I am not the discoverer of the vulnerabilities listed in the spreadsheet.  There is a column labeled […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 22, 2017

Vulnerable Plugins Fourteen disclosures this week, with five issues unfixed, and one that is critical. View this week’s vulnerable plugins list. The critical disclosure this week is an Arbitrary File Upload vulnerability in the plugin All Post Contact Form.  It appears that the plugin doesn’t do any checking on the file type that is being […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 15, 2017

Vulnerable Plugins Eight disclosures this week, with two issues unfixed, and two where I’m not sure. View this week’s vulnerable plugins list. The two I’m unsure of this week are with iTheme’s Backupbuddy plugin.  Backupbuddy is a paid plugin, so I do not have access to the source files.  The last changelog mention I can […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 8, 2017

Vulnerable Plugins Seventeen disclosures this week, with eight issues unfixed. View this week’s vulnerable plugins list. Other Security News The big disclosure this week was the breach at Equifax. If you haven’t head about it yet, I strongly recommend you read the write up by Brian Krebs over at krebsonsecurity.com. The TL;DR is Equifax, one […]

Blog: Vulnerable WordPress Plugins Report for the Week of September 1, 2017

Vulnerable Plugins Ten disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. The disclosure with the most visibility this week was in WooCommerce Product Vendors, where researchers from SiteLock discovered an unauthenticated, reflected Cross-Site Scripting vulnerability.  Automattic was quick to patch the vulnerability and promptly released version 2.0.40. Also disclosed this […]

Blog: Vulnerable WordPress Plugins/Themes Report for the Week of August 25, 2017

Vulnerable Plugins/Themes Seven disclosures this week, with zero issues unfixed. YAY! View week’s vulnerable plugin list.   This week, let’s look at the Authenticated, Unauthorized Information Disclosure vulnerability in version 1.1.0 of Advanced Contact Form 7 DB plugin, as you may be asking how there can be a problem if someone is already authenticated.  Authentication […]

Blog: Vulnerable WordPress Plugins/Themes Report for the Week of August 18, 2017

Vulnerable Plugins/Themes Eleven disclosures this week, with three issues unfixed. View week’s vulnerable plugin list. Going to highlight a couple from this week. The first is the discovery by researcher Lenon Leite who discovered a SQL Injection vulnerability in the plugin Link Library.  Just like with last week’s SQL Injection examples, this vulnerability requires an authenticated user […]

Blog: Vulnerable WordPress Plugins/Themes Report for the Week of August 11, 2017

Vulnerable Plugins/Themes Eleven disclosures this week, with two issues unfixed. View this week’s vulnerable plugin list. We have one theme joining the list this week: GamePlan – Event and Gym Fitness by cactusthemes.com.  I mention it specifically because while I doubt most of us are using a gym-based theme (though possibly for a student rec […]

Blog: Vulnerable WordPress Plugins Report for the week of August 4, 2017

Vulnerable Plugins Six disclosures this week, with three issues unfixed. View this week’s vulnerable plugin list. One of the disclosures is actually from last week that I intended to include but forgot.  I want to bring attention to it because it highlights how vulnerabilities can, and often are, stacked.  Wordfence recently wrote about how attackers […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 28, 2017

Vulnerable Plugins It was a busy week while I was away.  Twenty disclosures, with eleven issues unfixed.  In concerns to both Formcraft Form Builder, and Ultimate Affiliate Pro, since they are paid plugins, I do not have access to the source code in order to verify the disclosures.  In addition, I’m assuming the vulnerabilities still […]

Blog: Vulnerable WordPress Plugins Report for the Week of July 13, 2017

Nope, today is not friday (sorry). I’m going to be out-of-town tomorrow so I’m doing this week’s report a day early.  I’ll also be out next week; as such, there will be no report next week on the 21st.   If there are numerous disclosures while I’m out, I’ll do a report shortly after I […]

Blog: Vulnerable WordPress Plugins Report for the week of July 7, 2017

Vulnerable Plugins Only four plugins with disclosed vulnerabilities this week, none of which remain unpatched! That’s the fewest number of disclosures in a week since I started doing this report.  You’ll notice WP Statistics made a repeat appearance after being on last week’s report for a SQL Injection vulnerability.  This week’s appearance is due to an Authenticated […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 30, 2017

Vulnerable Plugins Eight plugins with disclosed vulnerabilities this week, five of which remain unpatched. The most serious is FormCraft which contains two unfixed SQL Injection vulnerabilities.  The packetstorm post mentions the vulnerability being in “FormCraft Basic” but that the plugin directory for google dorking is “formcraft”. The version in the public repository definitely contains the vulnerability, […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 23, 2017

Vulnerable Plugins This week’s list is probably one of the shortest since I started doing these reports: only 6 plugins, with 3 having unfixed vulnerabilities.  Unfortunately, one of them is a repeat offender: Photo Gallery by WD, which made an appearance in the May 5, 2017 report for a SQL Injection vulnerability.  This time around, […]

Blog: Vulnerable WordPress Plugins Report for the Week of June 16, 2017

Introduction The weekly list is a collection of plugins and/or themes that have had vulnerabilities disclosed within the last week. I’ve historically created these weekly vulnerable plugin reports for the WordPress admins at the University of Missouri campus as a way to help them identify plugins and themes that need to be updated quickly. I began […]

Podcast: Access Denied - WordPress Security

WPCampus logo with photos of college campuses

Whenever you talk about WordPress, someone brings up WordPress security. Your boss is going to bring it up, your clients are going to bring it up, and there’s a decent chance you’ve had at least one night’s sleep ruined thinking about it. It’s one of those things that makes you feel paranoid: Am I doing […]