20 Dec

You Are Not Going To get The Best Information on WordPress Plugin Vulnerabilities From Twitter

Last week we looked at an example of one of the problems with WordPress’ handling of security, that being websites using plugins that contain vulnerabilities in the latest version are left in the dark about the issue, even in the case of the vulnerability already being exploited, as was the case with this vulnerability in the plugin Delete All Comments (we also found that security plugins didn’t prevent it from being exploited). We were curious to see what others were saying about the issue, so we took a look on Twitter and results were a reminder that you are not going to get the best information there.

We found that a web host was telling people to update the plugin:

There are several problems with that. The first one being that you can’t update it now since the plugin is and had been removed the Plugin Directory for at least several days before that tweet went out. The vulnerability is in the most recent version of the plugin, so updating it wouldn’t provide you with a fixed version. Finally, the vulnerability only exists in the most recent version, 2.0, so if you were able to update it at this point it (say if it hadn’t been removed from the Plugin Directory and you were still using an older version) it would have actual caused your website to become vulnerable (our data on vulnerabilities includes a listing of what versions are vulnerable, so you can also know that sort of thing).

We also found that a security company AntiHackers.co.uk was telling people to disable the plugin:

We would take that as them meaning you should deactivate the plugin, the problem with that is the vulnerability is exploitable when the plugin is deactivated if you send a request directly to the plugin’s main file (when activated you can also exploit it by sending a request to any WordPress page, which can make it easy to avoid security products or services trying to stop it from being exploited).

While looking at the other tweets from that company we noticed something else, a lot of there tweets just involved them repeating information from the WPScan Vulnerability Database, without disclosing that. The problem with that is that  WPScan Vulnerability Database’s data has some serious quality issues, so if you are relying on their data it should be disclosed and notice provided as to the issues. The issues include among other things, odd cases of  not including vulnerabilities and inaccurate reporting that vulnerabilities have been fixed. An example of that latter issue we discussed recently involved a report of a vulnerability in the plugin NextGen Gallery, where we found that while the vulnerability had been reported by the discloser as being fixed in version 2.1.57, it still existed. After we got in touch with the developer and helped them to get it fixed, a full fix was included in version 2.1.60. Since AntiHackers.co.uk just repeats claims from WPScan data they claimed it was fixed in 2.1.57:

It also worth noting that while their tweets they repeatedly state that you need to upgrade “before you get #hacked“, many of the vulnerabilities mentioned are highly unlikely to have exploit attempts against them, so the chances of being hacked due to them is negligible. Unfortunately far to much of the security industry isn’t interested in providing accurate assessments of threat level of different issues (or they don’t actually have the knowledge needed to do that), leading to a situation where often what focused on is not what should be of most concern.