30 May

Did Wordfence Know They Were Keeping The Public in the Dark About Unfixed Vulnerability in WordPress Plugin Already Being Exploited?

We often find that the information provided about vulnerabilities in WordPress plugins presented by security companies and developers of the plugins is not telling the full story. Take a vulnerability that Wordfence disclosed yesterday. They don’t provide any explanation of how they came across it:

On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs.

(No explanation is given for how they came across that estimate of installs either.)

They had to come across it somehow and how they did seems important here, based on what else occurred here.

One possible explanation is they came across it in dealing with a website being hacked due to it, but in the developer’s post they state:

There is nothing to panic as we’ve not come across any known breakthroughs caused due to this vulnerability.

One of the comments on Wordfence’s post indicates a different story:

One of my clients learnt an important lesson last week after succumbing to this. This vulnerability was used to install malware that searched for all WP instances on their server (4 in total, 2 of which were Woocommerce). It then injected redirection code into all themes (functions.php) on all instances. End result was an expensive clean-up bill, 2 days of lost sales & reputation.

Wordfence’s own timeline is worth noting here:

  • May 24 – Vulnerability discovered. Notified developers privately.
  • May 28 – Patch released by developers. Firewall rule released for Premium users.
  • June 27 – Planned date for firewall rule’s release to Free users.

The 24th was Friday and the 28th was Tuesday, so it would appear this was being exploited before an update was available and before Wordfence added protection against it. If Wordfence had more promptly warned people about the vulnerability perhaps that website or others could have taken action before they were exploited (by comparison we promptly warn our customers and everyone else when there is a vulnerability that is likely being expoited).

It also seems worth a mention that leaving people relying on their free plugin out to dry by leaving them vulnerable for a month is out of line with how Wordfence promotes the plugin, as they make this claim on the plugin’s page on WordPress Plugin Directory:

The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.

They clearly know that isn’t true.

Words Not Matching Results

In the developer’s post they made multiple claims about security that sound good, but considering they were fixing a serious vulnerability due to a fairly basic security failure after it has been discovered by outside party and possibly is being exploited, it seems like those words don’t their actions up to this point (which doesn’t seem unique to this developer).

Among the claims they made were:

Having said this, we assure continuous assistance and commitment to providing quality and security even stronger. We are constantly working to make sure our products are secure and reliable.


Fighting Security Vulnerabilities Together!

We strongly believe that security is not an absolute and a one time fix that will work. It is a continuous process and should be managed regularly with regular checks and updates.

While we make sure to sweep off security issues, we do not assume that they will never come. Our job is to identify them, debug the cause and release an update as soon as possible – so that it does not affect any of our users. We are the right one to it!

Security issues can be prevented from coming up and needing an update by making sure the code is secure in the first place.