WPML owned by On The Go Systems is stellar, beyond stellar. They deeply care about security and will help all customers including current paying customers and those who are no longer paying when a severe threat emerges. Did we work with them to improve their security? Yes, we did, but that isn't the point, the point is how they handled the security issues and how amazing they are with their customers. On The Go Systems makes many WordPress Plugins and while we haven't reviewed them … [Read more...]
Protected: FAQ for WordPress Plugin developers in our More Secure Plugin Repo
This content is password protected. To view it please enter your password below: Password: … [Read more...]
Who We Helped With WordPress Security And Who We Are Part One
We have been involved in the WordPress community and helping with security for five or six years, but many people still haven't heard our name. So, let's help catch you up to speed on who we are, what we do, and who we've helped. We have published a list of some of the companies we've helped in the WordPress community, because we want you the reader to understand our goal. Unfortunately, a lot of the companies wanted to credit the person who reported the bug and not our company. What is … [Read more...]
Genesis Framework & Child Themes Are The Best We’ve Ever Seen
We love, absolutely love the Genesis Framework and their Genesis child themes. We did a code review for someone awhile back and were unable to find a single mistake in the Genesis framework. This is saying so much, because on average we find 150 vulnerabilities in software. We believe it is good to praise those who do an impeccable job in security and are focused on usability and security. Genesis falls under both those categories and we look forward to them continuing their incredible work. … [Read more...]
SiteOrigin Widgets Bundle Vulnerabilities — download our cure for you
SiteOrigin Widgets Bundle is used by over one million sites and is the newest WordPress plugin for us to fix and have for sale, because siteorigin widgets bundle has some vulnerabilities that can not be ignored and definitely would not be ignored if a criminal wanted to get into your site. SiteOrigin has a lot of vulnerabilities and we've patched the most severe one today. Based on our code review this vulnerability would allow attackers to inject malicious code into the website, deface the … [Read more...]
WordPress Plugin OptinMonster Popups on 500 thousand sites allows unauthenticated users to admin backend
Update: upon further review we reaffirm our post, but make the following annotation; the severity of this issue maybe less then originally thought. We are continuing our evaluation and we will post our findings. update: We completed our review of the code in the screenshot of this post and while we identified variables that would lead to severe vulnerabilities, we have not been able to find use of the vulnerable variables, however the classes are still vulnerable and need to be updated. The … [Read more...]
Number Theory Attack On Two factor Authentication research
What you are about to read is research that at this point has only been proven on paper repeatedly over a thousand times and has had the support of being peer reviewed countless times, with no one being able to disprove it in the last two years. Why did we make this research public? What are we claiming? We made it public to see if people can take it from paper to proof of concept or if they can take it from paper to disproven or a proven proof of concept. So what we are claiming is simple, we … [Read more...]
50 thousand WordPress sites use Paid membership WP Plugin & suffer from SQL injection & CSRF to stored XSS
Update: A new version of Paid memberships pro has been released to the WordPress repo, fixing the CSRF to stored XSS issue written about below, however anyone using paid memberships pro 1.9.2 or lower is still vulnerable. The sql injections still exist in many areas of the code, however some areas are protected, which we had yet to review. It does show improvement that two issues were fixed so quickly by the developer. Paid Membership pro is a WordPress plugin that helps people buy your … [Read more...]
WordPress security alerts June 29th 2017
WordPress plugin My-readers-wall has had a potential sql injection detected … [Read more...]
WordPress CevHerShare Plugin CSRF to Persistent XSS — Jetpack Security incorrect
WordPress cevehershare plugin is a plugin that allows users to use social media to share content, like the name implies. WordPress cevhershare suffered from cross site request forgery on the admin side, which we then chained together to persistent cross site scripting on the admin side. What does this mean in basic terms? It means that if an admin was logged in and clicked on a malicious link, went to a malicious website, or viewed a malicious image it could inject malicious code into the … [Read more...]