[Plugin: WordPress File Monitor] Creates Potential Security Vulnerability

Resolved resourcesforlife
(@resourcesforlife)

13 years, 12 months ago

The plug-in results in the following alert when a site using the plugin is scanned using Sucuri.net

WordPress internal path: [exact path description removed]… /wp-content/themes/[theme used]

I’ve removed the precise path and theme information for my own site, but you get the idea. The plug-in potentially makes a site more vulnerable to attacks by displaying the literal WordPress path and server information.

More about the seriousness of this issue can be found on the Sucuri.net website here:
http://sucuri.net/?page=docs&title=wordpress-hardening

Please resolve this issue or provide a suggestion to prevent it.

http://wordpress.org/extend/plugins/wordpress-file-monitor/

Viewing 3 replies - 1 through 3 (of 3 total)

mattwalters
(@mattwalters)

13 years, 12 months ago

This plugin creates no links to your theme folder. Sorry, but I believe you might be confusing it with your theme or another plugin.

Also of note, almost every theme is going to create a link into your themes folder, otherwise it can’t serve the stylesheet or images included with the theme. Unless you’re running a black text on white background only website 🙂

The plugin does add a CSS sheet (which is actually a php file) in its directory but that is necessary to complete the security scan.

Side note: in the future if you believe you have found a security vulnerability for a piece of software you should contact the developer privately and give them adequate time to respond and work on a fix before posting it publicly. The plugin contains links to my website and there is a easily findable link to my contact form. So you should have been able to easily contact me. 🙂

inspired2write
(@inspired2write)

13 years, 12 months ago

/wp-content/themes/[theme used]

As Matt mentioned, it looks like it came from your theme. There are lots of themes that may seem legit, but if you scan themes before activating you may find encrypted codes, which may contain malicious codes causing a security concern, or at the very least containing links to bad sites.

As for the plugin – thanks Matt! I know it’s working because it sent an email after I did an upgrade of another plugin. 🙂

mattwalters
(@mattwalters)

13 years, 10 months ago

I did find an instance where the plugin was causing a PHP error if you tried to hit its scanning URL without some variables loaded in the URL. This has been fixed in the version that should be available for download any moment now.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘[Plugin: WordPress File Monitor] Creates Potential Security Vulnerability’ is closed to new replies.

[Plugin: WordPress File Monitor] Creates Potential Security Vulnerability

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics