12 Aug

You Are Not Always Going to Get The Best Information on WordPress Plugin Vulnerabilities From Twitter

We are always looking for ways to improve the vulnerability data on WordPress plugins we provide to our customers. One of the things we have been doing recently is reviewing some old third-party data on hacking attempts to help identify vulnerabilities that probably have been known and exploited by hackers for some time, but have continued to exists in the plugins because nobody on the good sign of things was looking for them (which is contrary to the marketing claims you might hear from a certain WordPress security company).

Through that we found an arbitrary file upload vulnerability in the Estatik plugin. Among common types of vulnerabilities, arbitrary file upload vulnerabilities are probably the most likely to be exploited, so having one exist in a plugin for more than a year after it looks like hacker had been targeting it, doesn’t point to the security of WordPress plugins being great at this time.

After finding the vulnerability we notified the developer of the plugin on July 25. After a week went by without a response from them, we publicly disclosed the vulnerability. Alongside of that we added it to our data set for this service and added it to the free data that comes with the companion plugin for the service, so that even those that are not using the service would get notified of the issue if they were using the vulnerable plugin. We also notified the Plugin Directory of the issue and the plugin was removed from it pending the vulnerability being fixed (well hopefully being fixed, considering the issue of the Plugin Directory restoring plugins without vulnerabilities actually being fixed).

Earlier today another data source for WordPress plugin vulnerabilities, the WPScan Vulnerability Database, finally got around to including the vulnerability (yet another reminder of the limitations of that as a data source). That lead to a number of Twitter accounts mentioning the vulnerability, relying on any of those accounts would have left you finding out out more than week after everyone that was using our plugin, our service, or following us. But some tweets had the further issue of recommending doing something that you can’t do at the moment, upgrading from the vulnerable version of the plugin.

The plugin is still currently removed from the directory, if you visit its page right now you get this:


So there isn’t an upgrade available for the plugin in WordPress at this time (there is a new version currently in the works though).

Despite that one of the tweets told people to “Upgrade now”:

Another one lists the information as an “Update tip”: