We think it would be fair to say the state of WordPress plugin security isn’t good these days. As an example, we could point to how often we are often we have been finding vulnerabilities in the current versions of plugins based on what looks to be hackers already discovering that vulnerability or some other security vulnerability in a plugin and then probing for usage of the plugin so that they can start exploiting it. Good journalism that sheds light on the very real security problems might go a long way to moving things toward improvement. Unfortunately so much of security journalism, whether WordPress related or otherwise, is quite bad. Due to our monitoring of news coverage of security issues in WordPress plugins, to make sure we are providing our customers the best data on plugin vulnerabilities possible, we run across a lot of the bad coverage.
One example we thought was worth highlighting since we can use it provide some useful information, is an article put out today on The Register, WordPress admin? Thinking of spending time with the family? Think again.
At the top of the article is a graphic with a screenshot of the homepage of the WordPress website covered in blood or red paint:
The article then goes on to describe vulnerabilities that were discovered in three WordPress plugins recently. All of them have been fixed in new versions of the plugins, so as long as you are keeping your plugins up to date you don’t have anything to worry about. Not mentioned in the article is the fact that keeping your plugins up to date doesn’t require giving up spending time with your family. Updating plugins is usually a quick process and for those that are not constantly monitoring their website they can set plugins to be updated automatically. We have created a plugin that will do that using by turning on WordPress own capability to automatically update plugins, which has existed in WordPress since version 3.7. You do run the small risk that a plugin update could break the website without you noticing it, but leaving plugins outdated probably runs more risk of a problem then that. With our plugin you can have email sent when an update is applied, so you can check the website after an upgrade is applied.
What also isn’t mentioned in the article is that the vulnerabilities are all of the kind that are unlikely to be exploited, based on what we see dealing with hacked website. Exploiting two of the plugins involving causing someone else to take actions they did not intend to take and since one of those involve reflected cross-site scripting (XSS) and all of the major web browsers other than Firefox have XSS filtering that would need to be bypassed to make the vulnerability exploitable. The third requires the attacker to have at least a contributor account, which is something that they would not normally not have access to, so when the article says they “only need “logged in contributor” status to exploit” it doesn’t speak to an informed author. For that plugin, the article states “These are serious because SoP says they would let an attacker get an admin password.”, what the discoverer of the vulnerability actually said was that it allow getting the “Administrator’s password hash”, which is a very different thing.
While vulnerabilities in three plugins that have been fixed and do not appear to be a major threat receive press coverage, we have yet to see any articles about the vulnerability in Form Lightbox, which looks to be being exploited already and for which there is not a fix available. That seems to be something that would be worthy of coverage, but that would seem to require journalist to have a much better understanding of the topic than they have shown interest in having.
All of the vulnerabilities mentioned in that article were already in our dataset when the article was posted, so if you hadn’t updated your plugins already you would have been notified of the vulnerability already if you were using our service.