Arbitrary File Upload Vulnerability in WooCommerce Catalog Enquiry

https://www.pluginvulnerabilities.com/2017/04/20/arbitrary-file-upload-vulnerability-in-woocommerce-catalog-enquiry/

One of the ways we keep track of vulnerabilities in WordPress plugins so that we can provide our customers with the best data on vulnerabilities in WordPress plugins is by monitoring the Support Forum on wordpress.org for threads related to those. Through that yesterday we came across a thread discussing that the demo website for the plugin WooCommerce Catalog Enquiry contained malware.

Powered by WPeMatico

Canadian Web Hosting [Ad]

Security Tip for Developers: You Don’t Need to Restrict Direct Access to .php Files Twice

https://www.pluginvulnerabilities.com/2017/04/20/security-tip-for-developers-you-dont-need-to-restrict-direct-access-to-php-files-twice/

One of the items we check for during our security reviews of plugins selected by our customers is to see if the plugin’s .php files can be accessed directly when they are not intended to. While being able to access them directly when that isn’t necessary usually doesn’t have any security impact, it is easy to prevent that from happening and

Powered by WPeMatico

Cross-Site Request Forgery (CSRF) Vulnerabilities in Triagis® Security Evaluation

https://www.pluginvulnerabilities.com/2017/04/19/cross-site-request-forgery-csrf-vulnerabilities-in-triagis-security-evaluation/

Far too often it is found that security plugins for WordPress introduce security vulnerabilities of their own, which if you know much about security isn’t too surprising considering that so many security companies don’t seem to know and or care much about security.

We recently ran across the security plugin Triagis® Security Evaluation, which is described as “a simple lite-weight

Powered by WPeMatico

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Rimons Twitter Widget

https://www.pluginvulnerabilities.com/2017/04/19/vulnerability-details-cross-site-request-forgery-csrfcross-site-scripting-xss-vulnerability-in-rimons-twitter-widget/

To provide our customers with the best information possible on vulnerabilities that have been in WordPress plugins they use, we create posts, like this one, which include the details of vulnerabilities for which the discoverer has not released a report with those details already. That allows our customers to better understand how the vulnerability had or could have impacted their

Powered by WPeMatico

Canadian Web Hosting [Ad]