One of the things we do to provide our customers with the best data possible on vulnerabilities that impact the WordPress plugins they use, is monitoring our websites for hacking attempts. For the first few months of the service we were seeing attempts to hack vulnerabilities already included in our data and very old vulnerabilities that we didn’t yet have in our data. Starting at the beginning of May we started seeing what looks to be requests from hackers probing for usage of plugins that we could not find any public disclosure of a vulnerability or any indication in the changelog that a vulnerability that hackers might be interested had existed and the been fixed in the plugin. When that occurs we quickly try to find if there is vulnerability that exists in the current version of the plugin that hackers would be interested in. In most cases we are able to find something that if hackers are not already exploiting, then they would exploit if they were to become aware of it (by comparison many vulnerabilities discovered in plugins are ones that are very unlikely to be exploited on the average website).
Seeing as we often find those vulnerabilities in a matter of minutes, those vulnerabilities are a good reminder that the security of WordPress plugins is not in great shape at this point. While some developers are quick to respond with a new version of the plugin that fixes the vulnerability, all to often fixes take weeks and in many cases the plugins have yet to be fixed. All of that is contrary what you might hear from people closely connected to WordPress.
The other thing that we have found troubling about this is that in most case we appear to be the only ones spotting the interest of hackers in these plugins and the vulnerabilities they contain. When this started happening in May, we expected the opposite, that we would be only one of many spotting these and we were interested in seeing how our response time would compare. You would certainly expect that to be the case based on how certain companies promote their services, Wordfence being one example we discussed previously.
By the middle of June as we kept spotting more vulnerabilities this way we got interested in seeing if we could gather more data than we could from just get from our websites, to see if we could catch more of these vulnerabilities and improve the speed at which we catch them. We found several websites with just such data and we quickly found more vulnerabilities. It also lead us to be more concerned about the state of WordPress plugin security, seeing as unlike the previous vulnerabilities where the explanation of why we were spotting these vulnerabilities and others were not, could have just been of our quick response to them. With many of the vulnerabilities we have found through this third-party data, that couldn’t be the explanation, since hackers seem to have starting to exploit them long ago. The first vulnerability we discovered this way involved a request from more than a year before.
As we continue to review more of that data we continue to find more such cases, last week that lead us to finding arbitrary file upload vulnerabilities (the most likely to be exploited common type of vulnerability) in three plugins, where hackers made request for the plugins in June of last year, July of last year, and February respectively. While we hope that we have made big dent in finding such vulnerabilities, we really have no way of knowing how many more may be out there.