Last week we wrote a couple of posts about Wordfence, the second one was based on a claim we noticed while working on the first. That leads to this post, which is based on a claim we saw while working on the second post.
In a post about vulnerability in a plugin from earlier this month (in which the discoverer of the vulnerability conspicuously wasn’t mentioned) Wordfence said people using their product were already protected against that vulnerability “because Wordfence has built in protection against stored XSS attacks”. That unqualified claim that there product can protect against such a broad type of vulnerability doesn’t sound like something you would hear from a responsible security company and when it comes to this type of vulnerability, which we refer to as persistent cross-site scripting (XSS), it sounded unbelievable.
If Wordfence had said they could protect against that particular vulnerability or some of this type vulnerability it would be a different story.
Since the vulnerability existed in the current version of the plugin and as far as we are aware we are the only one that have noticed it so far, it seemed to be a good test if Wordfence provided some value, as people would otherwise completely unprotected against this.
We when submitted the exploit we got a blank page back, which would occur if it was successful:
The looking at the homepage when not logged in, we found the persistent XSS exploit was successful:
So Wordfence didn’t actual prevent a real world persistent XSS vulnerability from being exploited.
The question we are left with is whether Wordfence doesn’t understand security enough to know the limitations of their product, they feel that they don’t need to be responsible when making bold security claims (which is all to common among security companies these days), or if they just feel it is appropriate to outright lie to public. In any case it is yet another reminder of the really poor state of WordPress security companies these days.