BulletProof Security WordPress v50.8 – POST Inject Vulnerability???

Not sure why only BPS would show up as having old bugs/security vulnerabilities since Wordfence, iThemes Security, All in one wp security, etc etc etc have all had bugs/security vulnerabilities found and reported at one time or another.

Bugs/security vulnerabilities occur from time to time with any software: BPS, Microsoft, etc etc etc. Nothing to be concerned about and just the norm with all software. The bugs in the links you posted were fixed about a year ago. There is a new bug/security vulnerability that I believe will be officially posted/reported soon that has already been corrected/fixed in BPS .52.5 – see below.

https://www.ads-software.com/plugins/bulletproof-security/changelog/

BugFix|Correction: DB Table Prefix Changer: Only allow entering numbers, lowercase letters and underscores in the Randomly Generated DB Table Prefix Form text box. Special thanks to Sathish from: Cyber Security Works Pvt Ltd for reporting a bug/security vulnerability in the DB Table Prefix Changer tool Form. Notes: You MUST be an Administrator and logged into the site as an Administrator in order to enter/test XSS html testing code in the Randomly Generated DB Table Prefix Form text box. Please do NOT actually try this test if you are using a version of BPS that is below .52.5. BPS .52.5 and above versions will only allow entering numbers, lowercase letters, and underscores for the DB Table Prefix name. If you have a BPS version below .52.5 then entering an invalid DB Table Prefix name will crash your website.

FYI – Your site: jezyk.pila.pl is being accidentally flagged and blocked as a malicious website by my Malwarebytes Anti-Malware Premium computer software. I checked your site and it does not contain anything malicious.

Luckily most of the bugs/security vulnerabilities in the past in BPS could only be exploited if you were an Administrator and logged into a site as an Administrator. You might ask then why would it be considered a security vulnerability if someone would have to be logged into a site as an Administrator to exploit that bug. The answer is that a bug is a bug and you can call it anything you want to call it. I appreciate very much when someone finds a bug in BPS and lets me know about it so that I can fix that bug. ??

Oops I misread/misunderstood this statement: “I installed a plugin that scans your site for plugin vulnerabilities.” What is the name of that plugin that scans your site? I will download and test it to see why it is malfunctioning/not working correctly.

Logically a valid check in that plugin would be to check the current version of a plugin that is installed on your site against the version of a plugin that had a vulnerability. If the plugin is malfunctioning and just checking for old bugs/vulnerabilities in older versions of a plugin then that would make that scanning plugin useless/worthless/broken.

There are only a handful of plugins that scan other plugins for reported security vulnerabilites. I found the broken plugin you are using: Plugin Security Scanner: https://www.ads-software.com/plugins/plugin-security-scanner/ The problem with this plugin is that it is not doing the logical checking method that I stated above. If you want a working plugin that does the logical checking method that I stated above then I tested the Security and Vulnerability Shield plugin and it is doing exactly the correct method of checking the current version of plugins that you have installed against versions of plugins that have/had bugs/vulnerabilities: Security and Vulnerability Shield: https://www.ads-software.com/plugins/security-and-vulnerability-shield/

I have notified the Plugin Security Scanner plugin author about this problem in his plugin here: https://www.ads-software.com/support/topic/scan-returns-false-positive?replies=4#post-7447401

Assuming all questions have been answered – thread has been resolved.

Thread Start Date: 9-18-2015 to 9-19-2015
Thread Resolved/Current Date: 9-20-2015