When it comes to improving WordPress security one of the things that we think is needed is better information, unfortunately we often see security companies being the ones pushing false information out there. We just ran across yet another example of this coming from the folks at Wordfence, which we though is important to point out, since they are trying to get people to share their “post with the larger WordPress community to create awareness of this security issue”, which we hope people don’t do since they are pushing out false information.
On Sunday a persistent cross-site scripting (XSS) vulnerability that existed in some versions of the All in One SEO Pack plugin was disclosed. The vulnerability was fixed in version 2.3.7, which was released on Friday. The same day we added it to our data set, so if you use our service and hadn’t already updated the plugin (you can use our Automatic Plugin Updates plugin to have plugin updates applied automatically), you would have been notified then.
When Wordfence took notice of it today they felt the need to post something, despite either not having much clue what they are talking about or intentionally lying to people. The really bad piece of information they included in this post is the following:
A proof of concept has been published on exploit-db, which means this attack is already in the wild.
What they linked to is simply a copy of the advisory that was released back on Sunday, on a website that contains a database of vulnerability reports. That doesn’t indicate in anyway that an attack is in the wild. In the past we didn’t follow Wordfene closely, but from a previous instance where we ran across one of their posts last year, they have falsely claimed that exploits are in the wild based on advisory for a vulnerability also being placed on vulnerability reporting website at least once before.
While it would be possible to exploit this type of vulnerability, it is not the type we often seeing people trying to exploit and so far we haven’t seen evidence of anyone probing our websites for usage of the plugin (which is sometimes a precursor to exploiting the plugin). The amount of press coverage the vulnerability has now received probably increases the chance of exploit attempts, based on what we saw with a more serious vulnerability recently.
It is worth noting that Wordfence only claims to have added protection against this vulnerability to their paid service today, so simply keeping your plugins updated would provide you better protection against this that there service (which we recently also found failed to protect against a real world persistent cross-site scripting (XSS) vulnerability).