Find answers, ask questions, and connect with our
community around the world.

Forums Forums Web Design WordPress The Connection Between OptinMonster’s Poor Security and Broader Plugin Security Problems

  • The Connection Between OptinMonster’s Poor Security and Broader Plugin Security Problems

    updated 11 months, 1 week ago 0 Member · 1 Post
  • SharonP

    Member
    October 28, 2021 at 12:18 pm

    Yesterday, Wordfence published a post on the really troubling state of security with one of the most popular WordPress plugins, OptinMonster. What wasn’t mentioned in their post was the connection between that and the broader situation with WordPress plugin security. The developer of the plugin, Awesome Motive, somehow has a chief security officer, despite the really poor security handling Wordfence found and the poor initial attempt to address that in the plugin. The CSO is also listed as being the “Security Reviewer” for the team running the Plugin Directory. What Wordfence caught should have already been caught if a security review had been done of that plugin, which you would think a CSO would have done or ensured someone else did. The poor security of that plugin, though, unfortunately, is in line with the team running the Plugin Directory failing to handle security well, as we again have found a plugin that had a security issue that should have been caught by automated security monitoring by that team. This time a plugin with 20,000+ installs that is passing user input directly to unserialize(), which permits PHP object injection: $_wishlist = unserialize( stripslashes( $_COOKIE[ $_wishlist_key ] ) ); That is easy to spot with automated tools. We have offered to help them have the capability to do just that for years without them taking up the offer or addressing the need in some other way. – by /hq/PluginVulns – –

Viewing 1 of 1 replies
Reply to: SharonP
Your information:

Cancel
Original Post
0 of 0 posts June 2018
Now