// Plugins security – extend, not erode!
WP Job Manager plugin was sitting vulnerable for some time and attack vectors were available with lowest possible user role. Now in current version 1.34.4 some hardening was placed in the form of post_type checks & nonce’s, but meddling with protected meta failed again. Almost the same way as WordPress core did. Eli5 PoC In …
This is a plugin that allows logging of activities around your wp setup, so admins have some insight about what is happening under the hood and what are the activities of different system functionalities and users from different user groups. In some of the classes around code base, specially those related to MySQL could be …
WP Activity Log before 4.1.5 unauthenticated SQLi Read More »
Abandoned Cart Plugin stands for recovering abandoned shopping carts for WooCommerce. Plugin source code is in quite bad shape from the good WP plugin development practices, but it got quite good coverage from some Woo “authorities” in the past and it is installed on 30k+ active stores. Here we talk about preauth SQL injection that …
WooCommerce abandoned cart before 5.8.2 SQL injection Read More »
Here we talk about Loginizer security plugin for WP that protects web sites from brute force attacks (quite needed functionality) and to provide extra lights and bolts in form of Two Factor Auth, reCAPTCHA, PasswordLess Login… Recently I performed some checks in the plugin code and few security issues were identified e.g. two paths towards …
The bug is more than simple, GET request with Administrator cookies in it, will result with any plugin from WP dot org installation & activation. If we talk about regular web application, then this won’t be even a issue and server miss configuration could be blamed (writable executable files), but we talk about WordPress where …
WooCommerce plugin is raw model how good WordPress plugin should look like and very often we can see how many another plugins around eco system very often borrow knowledge/source from it and that is probably ok. What is important to be mentioned here is the fact that there isn’t any log that will show us …
Adding slashes or removing them is a thing on WP. Most of the meta functions perform that e.g. they hold that not popular wp_unslashagainst meta keys and values. This means when input towards update_metadata and add_metadata isn’t from the current http requst via some web form e.g. html interface there is possibility for user to insert/update protected meta key into …
Core had put some efforts in order to prevent accessing attachment post type functions from another post types. Usually checks are done by calling get_post and comparing the post type with attachment, but that is selective and only in hand picked places. It is that way because performances mainly, so many functions are lacking this checks. Eli5 PoC One of …
WordPress attachment api functions and any post type Read More »
Native WordPress importer have 3 different parser classes: WXR_Parser_SimpleXML, WXR_Parser_XML and WXR_Parser_Regex. If first two required PHP extensions (simplexml and xml) aren’t installed or somehow they fail during export file parsing, then everything should be done by WXR_Parser_Regex class. Failing could occure because: malformed XML file Huge XML file with lot of data (libxml doesn’t obay memory constraints from php.ini) most important one: …
This bug is 0day, but same as this bug was reported in the past. Try to fix here and fix here. Anyway, in the Woo code there is another DB query that modifies serialized PHP content outside from serialize / unserialize PHP functions and that results into user object injection. Beside numerous tries to harden WP, …