PluginVulnerabilities

joined 1 year ago
MODERATOR OF
wordpresssecurity
sorted by: new top controversial old
3
WooCommerce Vulnerability Listed as Being Fixed in Upcoming Release Was Already Fixed (www.pluginvulnerabilities.com)
3
AI Helps to Detect Incomplete Security Fix Being Made to 1+ Million Install WordPress Plugin WP File Manager (www.pluginvulnerabilities.com)
2
NinjaFirewall is Providing Misleading Information on Vulnerable WordPress Plugins (www.pluginvulnerabilities.com)
2
Arbitrary File Upload Vulnerability in AI Engine (www.pluginvulnerabilities.com)
Hacker Likely Targeting This Incompletely Fixed Authenticated Plugin Installation Vulnerability in WordPress Plugin NextMove Lite in c/wordpresssecurity
[–] PluginVulnerabilities 1 points 9 months ago

Other data providers including Patchstack, Wordfence, and WPScan are all listing the vulnerability as having been fixed, despite the developer only partially fixing it.

2
Hacker Likely Targeting This Incompletely Fixed Authenticated Plugin Installation Vulnerability in WordPress Plugin NextMove Lite (www.pluginvulnerabilities.com)
2
SQL Injection Vulnerability in Booking Calendar (www.pluginvulnerabilities.com)
7
WordPress Plugin Team Appears to Not Understand Proper Use of SQL Escaping Function esc_sql() (www.pluginvulnerabilities.com)
1
Hacker Targeted WordPress Backup Plugin Didn't Actually Get Fix for Log File Disclosure (www.pluginvulnerabilities.com)
6
Cloudflare Still Providing DNS Service for WordPress Security Team Impersonation Scam (www.pluginvulnerabilities.com)
3
Nearly 10 Year Old Vulnerability Fixed in WordPress Security Plugin All-In-One Security (AIOS) (www.pluginvulnerabilities.com)
3
Be aware that CleanTalk is putting out misleading information about vulnerabilities in WordPress plugins. (self.wordpresssecurity)
 

They recently claimed that a vulnerability in a WordPress plugin exposed WordPress users passwords. It didn't, only password hashes. That is significantly different.

WPScan also claimed that the vulnerability allowed "account takeover," despite that being unlikely to happen there.

1
Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML (www.pluginvulnerabilities.com)
Wordfence Security's Country Blocking Isn't an Effective Measure Against Hackers in c/wordpresssecurity
[–] PluginVulnerabilities 1 points 1 year ago

Even better is to use tools that provide effective protection, as multiple tools that don't provide effective protection are still unlikely to provide effective protection when combined.

Wordfence's False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability in c/wordpresssecurity
[–] PluginVulnerabilities 0 points 1 year ago (1 children)

Again with the projection. You are the only one ranting here. We don't have any "scammy-ass" plugins.

The post you are replying about mentioned Wordfence in the context of us explaining how we came across a serious vulnerability. Which involved us reviewing a false claim by Wordfence about a vulnerability in a plugin one of our customers started using. So it wasn't altruistic, our customers pay us to do that work. We mentioned WordPress in the context of boilerplate text explaining why we full disclosed the vulnerability. None of that is a rant.

You can't even keep your claims straight. First you claimed we hadn't explained what the moderators we doing that is inappropriate and then you claimed we had, but you don't agree with it. To quote you, "No one is going to trust you or listen to you if you can’t be honest about what’s happening."

Who could foresee that a plugin would get pulled from the WordPress plugin directory for a security issue when the developer has left in commented out security checks? in c/wordpresssecurity
[–] PluginVulnerabilities 3 points 1 year ago (1 children)

This is the plugin: https://wordpress.org/plugins/sendpress/ These are security changes the developer made today, which presumably is in response to the plugin being closed for a security issue: https://plugins.trac.wordpress.org/changeset/2990357/ Here is the file from the screenshot: https://plugins.trac.wordpress.org/browser/sendpress/trunk/classes/views/class-sendpress-view-pro.php?rev=2990358 The code in that file is still missing needed security even after the security change made today.

Wordfence's False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability in c/wordpresssecurity
[–] PluginVulnerabilities 0 points 1 year ago (3 children)

You seem to have us confused with someone else. We haven't claimed that WordPress forum moderators are out to get us or and we don't have a victim complex. Perhaps you have an issue with projection. The moderators do act inappropriately, which plenty of people in the WordPress community have dealt with. It is why so few people participate in them.

As for what the moderator are doing inappropriately, we explained some of that here. That was linked to in the post you are replying about. It would help to read what you responding before claiming it doesn't provide something. And here is specific example, which had nothing to do with us, where they deleted messages simply saying thank you.

Wordfence's False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability in c/wordpress
Wordfence's False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability in c/wordpress
Wordfence's False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability in c/wordpress
3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin in c/wordpress
WordPress 6.3.2 – Maintenance and Security release in c/wordpress
Moin, in c/wordpress
view more: next ›