Security isn’t in great shape these days and that certainly applies to WordPress plugins as some recent issues we have run across have reminded us. As we see it, one of the causes of this is that real problems with security rarely get discussed. There are probably many factors at play to cause that, but one that we see is that people will criticize you if you say anything they interpret to be negative when it comes to security (the irony of that seems lost on them). That seems to lead to a lack of honesty about what is going on and instead a focus on happy talk that doesn’t resolve the problems, even though many could be fixed without much effort if there was an interest in doing that.
An example of not discussing the real problems comes up with a post we ran across from the blog of WordPress web hosting company Pagely. The post discusses the increasing issue with PHP object injection vulnerabilities in plugins, but hidden below the surface of the post is a couple of problems that writer clearly is aware of, but doesn’t disclose. The relevant section of the post is the following:
Full disclosure: I am the reporting party for some of the above vulnerabilities. One in 2016, and so far in 2017, seven. I took a weekend to see how many insecure usages of unserialize() I could find in the plugin code base and within hours had handfuls of working vulnerabilities; I stopped only so I could start triaging and notifying plugin authors regarding how to enact fixes. Many of which were appreciative for the help.
That all sounds nice, it just isn’t true in one important way and that gets to a couple of major problems with the security of WordPress plugin that people on the WordPress side of things don’t seem to be interested in dealing with.
If you look up the vulnerabilities the author is referring to you will find that only 2 of the 8 have been fixed. For the unfixed plugins it seems unlikely they are going to be fixed considering that the plugins last updates were years ago:
- 2 years: Gravitate QA Tracker
- 3 years: My Geo Posts Free
- 4 years: AJAX Random Posts, SiteBuilder Dynamic Components
- 5 years: NextGEN Gallery geo
- 6 years: Referrer Detector
The position of the people running the Plugin Directory is that people shouldn’t be warned about unfixed vulnerabilities, but as these plugins show many vulnerabilities have little chance of ever being fixed. Their continued refusal to warn people of those or to update the plugins themselves, which they have the ability to do and we would be happy to help them with, means that websites are being hacked when the hack could have been prevented.
It is unclear why Pagely’s post doesn’t mention any of this, instead only saying of their interaction with developers of the plugins, “Many of which were appreciative for the help”.
The other piece to this that isn’t mentioned is that all of those unfixed plugins still remain in the Plugin Directory. According to the listings for those vulnerabilities that isn’t due to the Plugin Directory not knowing about them, “The original researcher notified WordPress Plugins team.”. There are numerous problems with how the team behind the Plugin Directory handles security issues, but we haven’t seen any interest from them to improve what they are doing. Again, that would be something we would be happy to help them with.
It would be great if going forward Pagely would be willing to be honest about was is going on and maybe help to push WordPress to start finally warning about plugins with known vulnerabilities (something we have trying to get them to for over five years).
Vulnerabilities Left Undiscovered
Something else worth highlighting from that post is this:
There are a lot of plugins out there, and a lot of vulnerabilities – I had to cut my research short just due to time constraints. If you’re a researcher interested in picking up or helping out with this issue (hunting vulns, writing PoCs and recommending patches), get in touch.
Doing that type of work takes a lot of time, unfortunately it is something that most WordPress based security companies don’t do much, if any, of. Instead far too often they seem to be focused on making up threats and then claiming they will protect against them, then doing anything toward dealing with real threats. We do a lot to find and fix vulnerabilities in plugins, we have disclosed 18 vulnerabilities this month, and we have recently started trying to be more proactive in catching vulnerabilities as they are being introduced in plugins. If we had more customers we could do more, whereas those other companies would probably spend additional money to do things that are not all that helpful to improving the security surrounding WordPress.