Vulnerability Details: PHP Object Injection Vulnerability in Welcart e-Commerce

https://www.pluginvulnerabilities.com/2017/09/14/vulnerability-details-php-object-injection-vulnerability-in-welcart-e-commerce/

From time to time a vulnerability is fixed in a plugin without the discoverer putting out a report on the vulnerability and we will put out a post detailing the vulnerability so that we can provide our customers with more complete information on the vulnerability.

Since June we have been doing proactive monitoring of changes made to plugins to try

Powered by WPeMatico

Canadian Web Hosting [Ad]

SecuPress Price Changes + More Plans = More Accessible!

https://secupress.me/blog/secupress-price-change/

SecuPress Pro prices are changing today. It’s important to understand the why and also if you’re already a customer what will change for you.

New Plans

Before today september, 14th  2017 SecuPress Pro was available through only 4 yearly plans:

1 site for $59 3 sites for $149 10 sites for $289 Unlimited sites for $479

The problem was that

Powered by WPeMatico

Wordfence Would Rather Promote Their Plugin Than Address Important Issues Putting WordPress Websites at Risk

https://www.pluginvulnerabilities.com/2017/09/13/wordfence-would-rather-promote-their-plugin-than-address-important-issues-putting-wordpress-websites-at-risk/

When it comes to improving the security of WordPress it often times seems that security companies more interested in promoting themselves than actually improving security. One company that comes to mind is Wordfence, so it wasn’t surprising to see when they discussed the recent malicious takeover of the Display Widgets plugin it was devoid of any discussion of the real

Powered by WPeMatico

Authenticated Arbitrary File Upload Vulnerability in Football Pool

https://www.pluginvulnerabilities.com/2017/09/13/authenticated-arbitrary-file-upload-vulnerability-in-football-pool/

Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found an authenticated arbitrary file upload vulnerability in the Football Pool plugin.

The plugin has a number of admin pages that are available to users with the ‘manage_football_pool’ capability. The plugin creates a new role with that capability as well as providing it to Editor

Powered by WPeMatico

Authenticated PHP Object Injection Vulnerability in Media from FTP

https://www.pluginvulnerabilities.com/2017/09/13/authenticated-php-object-injection-vulnerability-in-media-from-ftp/

We recently started proactively monitoring for evidence of some high risk vulnerabilities when changes are made to WordPress plugins and if we had more customers we could expand the proactive monitoring to more types of vulnerabilities. One of the types of vulnerabilities we are looking for are PHP object injection vulnerabilities since those are likely to be exploited if hackers become aware

Powered by WPeMatico

More of WordPress’ Poor Handling of Plugin Security as Seen Through Malicious Takeover of Display Widgets

https://www.pluginvulnerabilities.com/2017/09/12/more-of-wordpress-poor-handling-of-plugin-security-as-seen-through-malicious-takeover-of-display-widgets/

Yesterday we looked at what happened when a popular plugin, Display Widgets, was purchased by someone (or someones) with malicious intent and people on the WordPress side of things handle things poorly. In a link included in one of the comments on that post we found another piece of the what happened that makes WordPress’ handling of this seem worse,

Powered by WPeMatico

Canadian Web Hosting [Ad]