12 Aug

Exploitation of Simple 301 Redirects Connected Plugin is Another Reminder of How Our Service Keeps You Ahead of WordPress Plugin Vulnerabilities

When we say that our service provides the best data on vulnerabilities in WordPress plugins you are using that isn’t just a marketing slogan. That is something that is based on us continually comparing what we are doing to others and also continually looking at how we can improve. An improvement that is just over a week old already has paid off in terms of our customers being warned well ahead of others about a vulnerability now being exploited in the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader.

Yesterday we had a lot of traffic coming to our website for content we have on a plugin related to that Simple 301 Redirects, which would usually indicates something security related is occurring with it. Yet early last year we did a security review of the plugin and only found one minor issue among the things we checked for, so at least at that time it was rather secure. Monitoring we do and other information pointed to what was going on, as we had what looked to be a hacker probing for usage of the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader on our website by requesting this file:

/wp-content/plugins/simple-301-redirects-addon-bulk-uploader/assets/css/notices.css

That plugin being targeted isn’t surprising since we starting warning our customers last Monday about an at the time unfixed vulnerability in the plugin that we rated as having a high likelihood of exploitation. We knew about that vulnerability because it had been obliquely disclosed by the makers of the NinjaFirewall plugin.

The vulnerability was fixed on Thursday, though with no changelog entry for the new version.

It was only on Saturday that the discoverer of the vulnerability disclosed it, though they either choose to only disclose a more limited variation of how it could be exploited or didn’t realize the totality of the threat.

While their post makes this claim at the end:

Update as soon as possible if you have version 1.2.4 or below installed.
If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this type of vulnerability.

That isn’t really the case, as they should know. Overstating the protection their plugin can provide seems to be a common issue for them.

If you were relying on the main competing data source for WordPress plugin vulnerabilities, the WPScan Vulnerability Database, you also were only alerted close to the time wide exploitation started (and well after us):

Since this is a recent improvement, in the future we should be able to warn even further out. Currently we are warning our customers about unfixed vulnerabilities in a couple of other plugins that the same company has obliquely disclosed.