#Has it leaked yet tool update#
Wordfence has yet to respond to our queries about this, but we will update the story if and when they do so. Part of the rule apparently seeks a request path containing ‘ninja-forms-submissions’ that a hacker could link to the plugin by using the website WP Directory. This was because they added a rule to its Web Application Firewall ( WAF), which was available to non-paying customers on September 2 and premium subscribers 30 days earlier, that revealed clues about the vulnerability’s existence and provenance.
#Has it leaked yet tool software#
Plugin Vulnerabilities also accused Wordfence, the WordPress security specialist, of “giving hackers a possible leg up” in advance of a software update being readily available. “As part of our internal process corrections to error-proof this in the future, we have implemented an automated build and release protocol such that security fixes, once we implement them, will be released almost immediately.” ‘Possible leg up’ “In this process, while we got the fix done immediately, I failed to turn it around and get it out the next day, which is what should have happened instead it was in normal cycle. “I've been working on an internal process to track, remedy, and release security fixes with proper disclosure on a fast cycle,” he explained. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy. Stuart Sequeira, lead engineer for Ninja Forms at Saturday Drive, responded quickly to The Daily Swig’s queries, saying that he “put in a fix” the day after security vendor Wordfence alerted them to the flaw, but admitted to an oversight that has since led them to introduce greater automation in releasing fixes.Ĭatch up on the latest WordPress security news
#Has it leaked yet tool code#
It also criticized Saturday Drive for submitting a new version of the plugin to the Subversion repository underlying the WordPress Plugin Directory back on August 17, more than three weeks before releasing an official software update.Ī description of, and code change for, the fix were also committed publicly on the WordPress Plugin Directory that, if seen by malicious actors, made it “trivial to exploit the vulnerability,” said Plugin Vulnerabilities. The insecure code was introduced in version 3.5.5, according to a blog post published by WordPress security service Plugin Vulnerabilities.Īs well as updating their systems, Plugin Vulnerabilities recommends that website administrators running vulnerable versions who grant ‘untrusted’ individuals access to WordPress accounts could review “log files for the website to make sure there haven’t been any requests for the relevant path” to exploitation. The plugin’s developer, Saturday Drive, addressed the flaw in version 3.5.8, which it released yesterday (September 7) after a delay to the rollout of an otherwise seemingly rapid fix. There’s even one image that shows it plugged into a phone.Developer reveals error-proofing improvements after delay to rollout of rapid fixĪn information disclosure vulnerability has been patched in Ninja Forms, the form-building plugin for WordPress with more than one million active installations.Īn authenticated attacker who abuses the flaw could export personal data submitted to websites via forms built with the extension. But other images make it less clear: another set of images leaked by Blass shows that it does have internal processing (and a blower-style cooling fan), and yet another set suggest the tube might simply be a carrying case. The first leaked photos appeared to indicate that the headset will be tethered via a wire to some kind of tube-shaped device, which could perhaps provide a little extra power to the headset (similar to the original Magic Leap). (And I’m just going to say it: the leaked promo kind of makes the wearers look like bugs.) It’s hard to tell if the big yellowish spots on the front of the headset are see-through but if you look closely, it appears there may be cameras embedded in the front of the device. Overall, the images in Blass’ first tweet match many of the details reported by Protocol on Monday, but they give a much better idea of what the final device may look like.