30 Apr

Sucuri Seems To Be Falsely Trashing the Developer of a WordPress Plugin

A week ago we disclosed an arbitrary file upload vulnerability in the plugin WooCommerce Checkout Manager. On Friday the plugin was closed on the Plugin Directory. Early on Saturday the developer submitted a fixed version of the plugin to the Subversion repository that underlies the WordPress Plugin Directory. On Sunday the plugin was reopened on the Plugin Directory.

If you believe a post put out by Sucuri yesterday you would believe something very different. In part they write:

This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched. It can be exploited by unauthenticated remote attackers if users have the Categorize Uploaded Files option enabled in the plugin settings.

We can’t find any previous disclosure of this and Sucuri doesn’t state who discovered it, so it seems like they would be referring to our disclosure, but that didn’t happen “a few weeks ago”. If we are the discoverer they are referring to, then linking to what we wrote would have allowed readers to see the mistake, but they didn’t do that. Unless somebody else discovered this first, things get worse from there:

Users with vulnerable versions of this plugin should update to version 4.3 as soon as possible, however, it’s worth noting that this vulnerability was left unpatched for weeks. Due to the unresponsive nature of the development team, we’d encourage you to pursue other plugin options that have more active development teams and demonstrate a concern for security.

Again, unless somebody else discovered that vulnerability before us, that is untrue, and it is really awful to be falsely trashing the developer.

Right after that is an ad for Sucuri services:

If you’re seeing symptoms of a hack and need a hand cleaning it up, contact us—we’d be happy to help clean up your site.

Note: Users of our Web Application Firewall (WAF) product are already protected against this threat via our virtual patching feature.

So they appear to be trashing the developer of a plugin, not crediting the discoverer of the vulnerability, but managing to advertise your services.

It’s worth noting that another part of their post once again points to Sucuri being behind as they write this:

As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.

We had seen probing from hackers by Wednesday, so it would have been good time to do that last week.