// Plugins security – extend, not erode!
WP Job Manager plugin was sitting vulnerable for some time and attack vectors were available with lowest possible user role. Now in current version 1.34.4 some hardening was placed in the form of post_type checks & nonce’s, but meddling with protected meta failed again. Almost the same way as WordPress core did. Eli5 PoC In …
This is a plugin that allows logging of activities around your wp setup, so admins have some insight about what is happening under the hood and what are the activities of different system functionalities and users from different user groups. In some of the classes around code base, specially those related to MySQL could be …
WP Activity Log before 4.1.5 unauthenticated SQLi Read More »
Abandoned Cart Plugin stands for recovering abandoned shopping carts for WooCommerce. Plugin source code is in quite bad shape from the good WP plugin development practices, but it got quite good coverage from some Woo “authorities” in the past and it is installed on 30k+ active stores. Here we talk about preauth SQL injection that …
WooCommerce abandoned cart before 5.8.2 SQL injection Read More »
Here we talk about Loginizer security plugin for WP that protects web sites from brute force attacks (quite needed functionality) and to provide extra lights and bolts in form of Two Factor Auth, reCAPTCHA, PasswordLess Login… Recently I performed some checks in the plugin code and few security issues were identified e.g. two paths towards …
The bug is more than simple, GET request with Administrator cookies in it, will result with any plugin from WP dot org installation & activation. If we talk about regular web application, then this won’t be even a issue and server miss configuration could be blamed (writable executable files), but we talk about WordPress where …
WooCommerce plugin is raw model how good WordPress plugin should look like and very often we can see how many another plugins around eco system very often borrow knowledge/source from it and that is probably ok. What is important to be mentioned here is the fact that there isn’t any log that will show us …
Adding slashes or removing them is a thing on WP. Most of the meta functions perform that e.g. they hold that not popular wp_unslashagainst meta keys and values. This means when input towards update_metadata and add_metadata isn’t from the current http requst via some web form e.g. html interface there is possibility for user to insert/update protected meta key into …
Core had put some efforts in order to prevent accessing attachment post type functions from another post types. Usually checks are done by calling get_post and comparing the post type with attachment, but that is selective and only in hand picked places. It is that way because performances mainly, so many functions are lacking this checks. Eli5 PoC One of …
WordPress attachment api functions and any post type Read More »
WordPress introduced maybe_unserialize and maybe_serialize as security functions in the past and they are deeply integrated in the core. Usually for backward compatibility or improper usage in the past, many software vendors are using multiple maybe_unserialize towards values that could be planted into DB with lower number of maybe_serializecalls. Eli5 PoC and if you think that this code isn’t existing then …
If we execute the following MySQL query against WP database we will get results in case we had already uploaded media in the past This is sort of “feature” of MySQL RDBMS, but what this means from WP aspect. It means a lot, because in the past there were account take over / backdoor vulnerabilities …