29 Apr

Sucuri Doesn’t Care That WordPress Plugin with Unfixed Vulnerability They Believe Is Being Exploited Is Still in the Plugin Directory

When it comes to our full disclosures of vulnerabilities as a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, we are certainly not above criticism, but it is incredible to us that other security companies escape any criticism despite repeatedly doing things that seems out of line with them actually caring about keeping websites secure. In a post earlier today we noted how a security journalist didn’t link to our post about a vulnerability we full disclosed, apparently due to including a proof of concept for confirming that vulnerability exists, while linking to a post from the web security company Sucuri providing payloads for how hackers were trying to exploit vulnerabilities. That seems hypocritical, but looking at Sucuri’s post we noticed something else, they seemed to be unconcerned that a plugin with an unfixed vulnerability that they believed was being exploited was still in the Plugin Directory.

In their post they provide this information:

Woocommerce User Email Verification. (version <= 3.3.0 **Still Not Fixed**)

Confusingly right after that they wrote this:

Attackers are trying to exploit vulnerable versions of these plugins. Public exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.

Clearly if the vulnerability has not been fixed you can’t update the plugin.

What receives no mention in their post is that the plugin is still open on the Plugin Directory and available for install:

That seems like something a security company concerned about security would have at least noted.

Its remaining opening is despite us publicly disclosing that vulnerability back on March 11 and the WordPress team being aware of that the same day. The person who runs the moderation of the Support Forum and is one of six members of the team running the Plugin Directory believes that leaving vulnerable plugins in the Plugin Directory when they know they are publicly disclosed to be vulnerable is them taking “appropriate action“.

While Sucuri didn’t note that situation, they did get in a plug for their service:

As always, we recommend adding a WAF as a second layer of protection.

They provide no evidence that their WAFs had provided effective protection against this vulnerability (or any other ones) and their post provides some indication that they might not be doing a good job.

They are well behind in warning about the vulnerability in the plugin, seeing as their post came over a month and half after our warning about it and over month after we had noticed hackers probing for usage of it.

Also, as far as we can tell both this vulnerability and the other one they mentioned was being exploited in that post, hackers were trying to exploit the vulnerabilities as if they were something different than they really were and it looks like the exploitation wouldn’t work. That stood out to us and it seems if you are a service that is supposed to be stopping attacks, instead of ours that focused on trying to warn about vulnerabilities before they are being exploited, you should be even more focused on that sort of thing.