21 Nov

CWIS Antivirus Scanner Plugin Spreading False Reports of Vulnerabilities In WordPress Plugins

One of the things we state about our service is that we provide our customers with the best data on vulnerabilities in WordPress plugins. To show an example what difference that makes let look at a recently created plugin that also provides data on plugin vulnerabilities.

The plugin is named CWIS Antivirus Scanner, which we became aware of it severals day ago due to our monitoring of updates made to plugins that might be related to a security fix (so that we can include more vulnerabilities that are not otherwise disclosed in our data). An update to that plugin showed up in that. Just by looking over the vulnerabilities added in that update we could already see the data provided was of poor quality. One of the vulnerabilities listed was a claimed cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability in the plugin Newsletter, which, according to wordpress.org, has 200,000+ active installs.

As we discussed over a month ago when the report of this claimed vulnerability was released the supposed cross-site request forgery issue that would have lead to this vulnerability didn’t actually exist. It looks as though the discoverer had not understood what was going on, as there proof of concept to exploit this actually included the protection against that type of vulnerability.

Looking through the other claimed vulnerabilities we had put out posts that detailed how they were false we found that the plugin also includes false vulnerabilities for WP Job Manager (80,000+ active installs) and Robo Gallery (20,000+ active installs). Including false vulnerabilities is on its own problematic, since we have seen people become convinced that their websites was were hacked through vulnerabilities that didn’t exist (leaving the actual vulnerability unaddressed and leading to in some instances, the website being hacked again) and because developers of plugins have their time wasted having to explain multiple times that the plugin did not have the vulnerability.

The larger issue though is that including these false reports indicates that the developers of this plugin are not thoroughly reviewing vulnerability reports before adding them. Beyond the issue of false reports, that is a problem because we frequently find that vulnerabilities have not been fixed despite the report stating they have been. Since hackers usually would not check if you are using a certain version of a plugin before trying to exploit, so if the unfixed vulnerability is something hackers would target then being told that it has been fixed isn’t going to protect you. So to fully protect yourself you would need to review vulnerabilities in the plugins you use when using a data source that doesn’t do that. The other option is to use our data, because as far as we are aware we are the only ones that actually review each vulnerability before adding it to our data set (we are usually are eventually successful in getting those unfixed vulnerabilities fixed, so even if you don’t use the service you are not left vulnerable forever in those instances).

We did one other quick of their vulnerability data, which showed a bigger issue with their data. While we provide our full data set to paying customers, we are not leaving the wider community out in the cold. In the companion plugin for the service we provide data for vulnerabilities in plugins we see hacker trying to exploit, so even if you are not using the service yet you will get warned if you are using vulnerable version of those. Of the 18 vulnerabilities we added in the last month, the CWIS Antivirus Scanner included none of them. Making this more problematic is 16 of those vulnerabilities exist in the most recently available version of the plugin, so even if you keep your plugins up to date you would be vulnerable.

One more thing we thought worth noting, since we always find it to be red flag as to trustworthiness of a plugin’s developer, is if they review their own plugin. That is the case with this plugin, were the developer titled their review “Excellent!” and the body of the review is “Just installed and scanned my website’s database and files, and it works!”. Also, why is the Plugin Directory even allowing people to review their own plugins, as it obviously isn’t going to provide an accurate assessment of the plugin?

Leave a Reply

Your email address will not be published. Required fields are marked *