Plugin Vulnerabilities

Profile banner

Plugin Vulnerabilities

@pluginvulns.bsky.social

20
Followers
8
Following
264
Posts
Provider of service to protect websites from being exploited due to vulnerable WordPress plugins. https://www.pluginvulnerabilities.com/
Posts Replies Media
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 4 days
Insights That Australia's Report on Chinese Hacking Campaign Has for Securing WordPress Websites www.pluginvulnerabilities.com/2024/07/12/i...
Insights That Australia’s Report on Chinese Hacking Campaign Has for Securing WordPress Websiteswww.pluginvulnerabilities.com This week the Australian government released an advisory focused on a Chinese hacking campaign, which includes a couple of case studies looking in to successful hacks. The information in the advisory
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 5 days
WordPress Plugin Developers Can Use security.txt Files to Aid in Getting Security Issues Reported to Them www.pluginvulnerabilities.com/2024/07/10/w...
WordPress Plugin Developers Can Use security.txt Files to Aid in Getting Security Issues Reported to Themwww.pluginvulnerabilities.com In May, we found that numerous security providers had failed to catch that a vulnerability in the 100,000+ install WordPress plugin Genesis Block hadn't been fully fixed. It was a good reminder of the
Reposted byAvatar Plugin Vulnerabilities
Avatar
Derek Willis @dwillis.bsky.social · 18 days
The website of the North Carolina First District Republican Party committee sure does address a broad range of topics and audiences! ncgop1.com/category/lat...
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 18 days
It's kinda of ridiculous that WordPress is so intent on promoting Gutenberg that the first two plugins shown at the moment on the plugin directory website are not listed as being compatible with the latest version of WordPress (or the previous version). But they are block enabled!
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 18 days
Based on the code added to Blubrry PowerPress, it's obviously the same attacker that added malicious code to the other WordPress plugins. The attacker isn't even trying to disguise what they are doing, which provides more evidence they are not sophisticated.
Avatar Terence Eden @Edent.mastodon.social.ap.brid.gy · 19 days
Ah fuck. The WordPress plugin I was using for my old PodCast was compromised. Kudos to #WordPress for alerting me and giving clear instructions on how to fix it. #PodCast #PowerPress
Reposted byAvatar Plugin Vulnerabilities
Avatar
Terence Eden @Edent.mastodon.social.ap.brid.gy · 19 days
Ah fuck. The WordPress plugin I was using for my old PodCast was compromised. Kudos to #WordPress for alerting me and giving clear instructions on how to fix it. #PodCast #PowerPress
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 18 days
Google News includes this story where the headline claims that "millions of websites at risk." That refers to the recent issue where five WordPress plugins had malicious code placed in to them. The most popular had 30,000+ installs, so not even close to a million websites were at risk. 🤔
5 WordPress Plugins Compromised; Millions of Websites at Riskwww.esecurityplanet.com Hackers exploited popular WordPress plugins, putting millions of WordPress websites under threat.
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 20 days
Vulnerability in WordPress Software Bill of Materials (SBOM) Plugin Allows Anyone Access to SBOM for Website
Vulnerability in WordPress Software Bill of Materials (SBOM) Plugin Allows Anyone Access to SBOM for Websitewww.pluginvulnerabilities.com A software bill of materials (SBOM) is used to provide information on the software components that make up a larger software system. There has been a lot of focus on them recently as a way to try to b
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 21 days
It concerning how many mistakes in the handling of the security of the code in WooCommerce we run across. In the latest, it looks like there hasn't been a basic security review of what is accessible through the Store API in four years, despite millions of installs of WooCommerce.
WooCommerce is Exposing Private Product Information Through Store APIwww.pluginvulnerabilities.com While looking into something related to the now discontinued WooCommerce Blocks plugin from Automattic, we noticed what appeared to be a vulnerability in that. That plugin has long been incorporated i
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 21 days
Attacker Adding Malicious Code to Legitimate WordPress Plugins in Plugin Directory Quickly Caught
Attacker Adding Malicious Code to Legitimate WordPress Plugins in Plugin Directory Quickly Caughtwww.pluginvulnerabilities.com When it comes to vulnerabilities in WordPress plugins, they often go unnoticed for years, as was the case with a vulnerability we ran across in WooCommerce this week. But with another situation in the
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 21 days
How much of the Reddit content that is being fed in to AI, generated by AI itself, as this user's replies look to be?
Reddit - Dive into anythingwww.reddit.com u/dbaseas
Reposted byAvatar Plugin Vulnerabilities
Avatar
Baldur Bjarnason @baldurbjarnason.com · 22 days
“Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attack | Ars Technica” arstechnica.com/security/202... I think it's time to be much more careful about plugins, extensions, and dependencies, whether it's on your website, code, or text editor.
Backdoor slipped into multiple WordPress plugins in ongoing supply-chain attackarstechnica.com Malicious updates available from WordPress.org create attacker-controlled admin account.
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 21 days
Before journalists complain about AI, maybe they should address their own shoddy work. Like this: Here is the Bleeping Computer's Bill Toulas claiming that Wordfence discovered something, but the Wordfence blog post he cites states right at the beginning that someone else did.
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 22 days
WooCommerce is Exposing Private Product Information Through Store API www.pluginvulnerabilities.com/2024/06/25/w...
WooCommerce is Exposing Private Product Information Through Store APIwww.pluginvulnerabilities.com While looking into something related to the now discontinued WooCommerce Blocks plugin from Automattic, we noticed what appeared to be a vulnerability in that. That plugin has long been incorporated i
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 25 days
It isn't hard to understand why people think that WordPress is an arm of Automattic when you have situations like this.
Avatar Plugin Vulnerabilities @pluginvulns.bsky.social · 25 days
Every single person listed as being involved with that proposal is an Automattic employee. Shouldn't something from the Community team involve members of the WordPress community beyond Automattic employees?
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
Our firewall plugin blocked this attempt to exploit an XSS vulnerability in something that runs through WordPress' AJAX functionality with the action "zip_search" We can't find a reference to a WordPress plugin (or theme) that relates to. Anyone recognize what that is?
Reposted byAvatar Plugin Vulnerabilities
Avatar
Waffle House, M.D. @ruleo.bsky.social · 1 mo
found some malware on a vendors wordpress install, here's what i have so far (probably cringe and wrong, im dumb of ass) pastebin.com/2PuDDpnM
uwu whats this - Pastebin.compastebin.com Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
Reposted byAvatar Plugin Vulnerabilities
Avatar
Chris @ichris.bsky.social · 1 mo
At some point the WordPress world (and the web in general) is going to have to work through the very real accounts of Matt Mullenweg being a bully on a web that his software runs 40% of.
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
Anyone heard of a WordPress plugin named RFC WordPress? Someone is claiming there is a vulnerability in it, but we can't find any evidence it even exists. packetstormsecurity.com/files/179099...
WordPress RFC WordPress 6.0.8 Shell Upload ≈ Packet Stormpacketstormsecurity.com Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
Reposted byAvatar Plugin Vulnerabilities
Avatar
Baldur Bjarnason @baldurbjarnason.com · 1 mo
This highlights just how massively off-the-rails Wordpress seems to be: it’s starting to look like a commercial product with an open source component both run by an autocratic bully I didn’t realise, for example, that the Gutenberg dev seems to take precedence over Wordpress core dev these days.
Avatar Baldur Bjarnason @baldurbjarnason.com · 1 mo
“EP484 - Whose WordPress is it anyway?” wpwatercooler.com/wpwatercoole... > For WordPress, there is no accountability in that behavior or In the ethicalness, or the morality, the behavior of Matt, who is in control of all of these entities. This is a podcast episode but it has a full transcript
EP484 - Whose WordPress is it anyway? - WPwatercoolerwpwatercooler.com On this episode, Jason Tucker and Sé Reed discuss the concept of who "owns" the WordPress open-source project and the broader question of who controls WordPress, highlighting the tension between the o...
Reposted byAvatar Plugin Vulnerabilities
Avatar
Baldur Bjarnason @baldurbjarnason.com · 1 mo
“EP484 - Whose WordPress is it anyway?” wpwatercooler.com/wpwatercoole... > For WordPress, there is no accountability in that behavior or In the ethicalness, or the morality, the behavior of Matt, who is in control of all of these entities. This is a podcast episode but it has a full transcript
EP484 - Whose WordPress is it anyway? - WPwatercoolerwpwatercooler.com On this episode, Jason Tucker and Sé Reed discuss the concept of who "owns" the WordPress open-source project and the broader question of who controls WordPress, highlighting the tension between the o...
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
WordPress Isn't Warning Users of Plugin With Unfixed Vulnerability That Is Being Exploited www.pluginvulnerabilities.com/2024/06/14/w...
WordPress Isn’t Warning Users of Plugin With Unfixed Vulnerability That Is Being Exploitedwww.pluginvulnerabilities.com This week, our Plugin Vulnerabilities Firewall plugin has blocked several attempts across our websites to exploit a vulnerability in a WordPress plugin. In investigating the attacks, we found that the
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
At Least 10,000 WordPress Websites Still Have Exploited Versions of Icegram Express Plugin Installed www.pluginvulnerabilities.com/2024/06/12/a...
At Least 10,000 WordPress Websites Still Have Exploited Versions of Icegram Express Plugin Installedwww.pluginvulnerabilities.com Yesterday, we detailed our findings on a SQL injection vulnerability that had been in the WordPress plugin Icegram Express, after having a hacker try to exploit it on our website. The vulnerability wa
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
Privilege Escalation Vulnerability in Pretty Links www.pluginvulnerabilities.com/2024/06/12/p...
Privilege Escalation Vulnerability in Pretty Linkswww.pluginvulnerabilities.com One of the changelog entries for the latest version of the WordPress plugin Pretty Links is "Security hardening." Looking at the changes made, we found that a nonce check to prevent cross-site request
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
Hacker Targeting Recently Incompletely Fixed Vulnerability in WordPress Plugin Icegram Express www.pluginvulnerabilities.com/2024/06/11/h...
Hacker Targeting Recently Incompletely Fixed Vulnerability in WordPress Plugin Icegram Expresswww.pluginvulnerabilities.com Over the weekend, we had a hacker attempt to exploit a SQL injection vulnerability that turned out to be one fixed recently in the 90,000+ install WordPress plugin Icegram Express on our website. We d
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in WP jQuery Lightbox (WP Lightbox) www.pluginvulnerabilities.com/2024/06/11/a...
Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in WP jQuery Lightbox (WP Lightbox)www.pluginvulnerabilities.com One of the changelog entires for the latest version of the WordPress plugin WP jQuery Lightbox (WP Lightbox) is "Minor security fix (issue only affected authenticated users)." Checking in to that, we
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
AI Helps Catch CSRF Vulnerability Being Introduced in to 100,000+ Install WordPress Plugin Modula www.pluginvulnerabilities.com/2024/06/10/a...
AI Helps Catch CSRF Vulnerability Being Introduced in to 100,000+ Install WordPress Plugin Modulawww.pluginvulnerabilities.com Three years ago, a prominent WordPress security provider claimed that increasing numbers of vulnerabilities claimed to be discovered in WordPress plugins was caused not by more vulnerabilities being i
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
Reflected Cross-Site Scripting (XSS) Vulnerability in Dynamic QR Code Generator www.pluginvulnerabilities.com/2024/06/10/r...
Reflected Cross-Site Scripting (XSS) Vulnerability in Dynamic QR Code Generatorwww.pluginvulnerabilities.com The WordPress plugin Dynamic QR Code Generator was closed on the WordPress plugin directory last year with the only explanation given that it had a "Security Issue." No further details of the issue we
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
This says so much about why WordPress security remains so bad. Claiming that you don't need to worry about security because a service offers malware removal. Malware only gets on a website if it isn't secure in the first place. And removing it doesn't fix the security problem.
Avatar The Digital Sharecropper @sharecropping.bsky.social · 1 mo
Reach your global audience and boost your site's performance without worrying about any security or technical setup with WPX. https://sharecropp.in/wpx #WordPress #OnlineBuiness
Avatar
Plugin Vulnerabilities @pluginvulns.bsky.social · 1 mo
Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Appointment Booking and Online Scheduling www.pluginvulnerabilities.com/2024/06/07/o...
Our Proactive Monitoring Caught an Authenticated Arbitrary File Upload Vulnerability in Appointment Booking and Online Schedulingwww.pluginvulnerabilities.com One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin