Earlier this week we discussed the fact that Wordfence doesn’t actually check plugin vulnerabilities before claiming they are fixed, while writing up that post we noticed a feature of their service that looks like it doesn’t live up to their claims by a mile. Since the average webmaster isn’t going to have the knowledge to see through this, we though it would be good idea to make others aware of this.
As part of the marketing material on their homepage they have a section about their Real-Time Threat Defense Feed. Just with that name it sounds impressive, but their description makes it sound more impressive:
Protection from the latest threats, delivered as they emerge
Wordfence protects over 1 million WordPress websites, giving us unmatched access to information about how hackers compromise sites, where attacks originate from and the malicious code they leave behind. The team in our Forensic Lab are constantly adding updates as they discover new threats. Premium members receive the real-time version of the Threat Defense Feed. Free users receive the community version, which is delayed by 30 days.
While that certainly sounds impressive, based on our recent success in spotting vulnerabilites in the current versions of WordPress plugins that hackers look to be interested in exploiting, it certainly looks as though in reality that feature doesn’t provide anywhere near “unmatched access” to knowledge of “how hackers compromise sites”.
Recently through monitoring requests sent to our websites for what look to be hackers probing for the use of plugins and then checking over the plugins for relevant vulnerabilites we found the following likely to be exploited vulnerabilities:
- an authenticated file upload vulnerability in WP Editor
- an authenticated file modification vulnerability in WP Editor
- an authenticated file viewing Vulnerability in WP Editor
- an arbitrary file upload vulnerability in WP Mobile Detector
- an arbitrary file upload vulnerability in BePro Listings
- an arbitrary file upload vulnerability in Vertical SlideShow
- an arbitrary file upload vulnerability in wp superb Slideshow
- an arbitrary file upload vulnerability in wp Dreamwork Gallery
- an arbitrary file upload vulnerability in Bliss Gallery
- an arbitrary file upload vulnerability in Image News slider
- an arbitrary file upload vulnerability in YAS Slideshow
- an arbitrary file upload vulnerability in Carousel slideshow
- an arbitrary file upload vulnerability in Levo Slideshow
- an arbitrary file upload vulnerability in Power Zoomer
- an arbitrary file upload vulnerability in Homepage SlideShow
- an arbitrary file upload vulnerability in Smart Slideshow
- an arbitrary file upload vulnerability in Slideshow Pro
- an arbitrary file upload vulnerability in Blaze Slideshow
- an arbitrary file upload vulnerability in Catpro Gallery
- an arbitrary file upload vulnerability in XData Toolkit
- a privilege escalation vulnerability in Simplr Registration Form Plus+
While looking for additional data sources to expand our ability to catch these vulnerabilities, so that we can improve our vulnerability data for our customers and improve the security of WordPress plugins for everyone, we also found:
- a persistent cross-site scripting (XSS) vulnerability in WordPress File Monitor
- an arbitrary file upload vulnerability in Jssor Slider
The most recent vulnerability we found, in Jssor Slider, was something that it looks like a hacker might have been aware of more than a year ago and yet the vulnerability still was in the plugin and the plugin still available in the Plugin Directory as of today.
Something that surprised us with this is that in only two of the cases does it appear that someone else not interested in exploiting these vulnerabilites had spotted them as well. We figured that there would many others, considering how easy it has been for us to find the vulnerabilities.
In one case the security company Sucuri Security reported on the vulnerability in WP Mobile detector four days after we had notified the developer and two after we had reported it the Plugin Directory, despite that they tried to claim the disclosure as their own. In another case while we working through the review of a set of 16 plugins with a related security issue, so that we could coordinate reporting all of them, someone else released details on one of them (their report seems a bit confused though). In all cases we seem to have been the only ones that had reported the issue to the Plugin Directory (we often look to be the only ones making them aware of vulnerabilities disclosed by other as well), so the plugins have gotten removed from that pending them being fixed.
Decidedly missing from those that also caught any of those vulnerabilities is Wordfence. If Wordfence was aware of these vulnerabilities you would expect that they would posted something on their blog about them, considering they post when they find minor vulnerabilites (and manage to miss multiple related vulnerabilities) or even when they had nothing to do with the discovery of a vulnerability in a plugin, or at least notified the Plugin Directory.
Wordfence’s “unmatched access to information” doesn’t appear to produce the results that we have with just a few websites, which makes us wonder what exactly they would be able to catch.
Protecting Yourself From These Plugin Vulnerabilities
Considering that Wordfence seems to have been unaware of these plugin vulnerabilities when they first crop up, they are going to have a hard time protecting you in a timely fashion. So how can you actually protect yourself from this type of vulnerability?
One simple step is to remove plugins that you are not using, since even if you deactivate unused plugins sometimes the vulnerabilities are still exploitable.
Also important is keeping your plugins up to date all the time, as you won’t always know if a plugin update includes a security fix and when we find these we try to get the vulnerabilities fixed before we disclose them, to limit the additional damage they can cause. You can use our Automatic Plugin Updates plugin to make sure your plugins stay up to date without requiring you to manually update them all the time.
Unfortunately not every plugin gets updated in a timely manner or ever, so you can protect yourself further by signing up for service and getting an email alert anytime a known vulnerability is found in the currently installed version of a plugin on your website. In those cases where there isn’t an update available you can also then get in touch with us to discuss how to be handle the situation. If you need to keep using the plugin, there is a good chance we can find a workaround so you can keep using the plugin and still be protected until a more complete fix is released.
For vulnerabilites in plugins that we are seeing hacking attempts against, we also include the vulnerability in our companion Plugin Vulnerabilities plugin’s free data set, so even if you have yet to sign up for our service you will still get warned.