Wordfence Premium Fails to Protect Against Another “Critical” Privilege Escalation Vulnerability
On Monday we noted finding that the Wordfence Security plugin and the Wordfence Premium service failed to provide protection against a “critical” privilege escalation vulnerability, running contrary to Wordfence’s marketing.
In response to that, someone on Reddit said this of Wordfence:
I’m just curious, because I’ve been a customer of theirs for years and they are normally very conscientious and generally on top of shit. It would be very unlike them to just flake on something as important as this.
We can understand from the customer’s view of things how it would seem like what we found wasn’t in character from Wordfence, but coming from the security industry side of things, it is in line with what we have seen for years. This situation also wasn’t a fluke.
In our previous post, we looked at exploitation of a privilege escalation vulnerability in a WordPress plugin that was disclosed through exploit code released on October 5. Three days after that, exploit code for another privilege escalation vulnerability in another WordPress plugin was released. The situation with that vulnerability is very different, both because the vulnerability was already fixed and because, unlike the previous vulnerability, it wouldn’t be easy, if possible at all, to provide general protection for this type of exploitation.
The vulnerability would allow an attacker to log into an existing WordPress administrator account on a website.
Going back to our previous post, Wordfence markets their plugin with the claim that their plugin stops websites from getting hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time protection”:
If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium.
As noted before, providing general protection wouldn’t easily be possible, if at all, for this particular vulnerability. So you wouldn’t expect their plugin to provide protection when the exploit code was originally released. Instead, they would need to write a rule for the specific vulnerability. As they only provide new rules to Wordfence Premium customers for the first 30 days, we wouldn’t expect that the plugin would provide protection at the time the exploit was released. Testing confirmed that it didn’t.
It has now been 33 days since the exploit was released, so you can now see if the Wordfence promptly added a rule to protect against this or not, by at looking the changes being made to their free data.
No new rules have been added to free data in the past few days and in line with that, retesting this now, we found that their plugin still doesn’t provide protection.
Last last month, the developer of the NinjaFirewall plugin mentioned they had seen hackers proving for usage of the plugin to exploit this.
Speaking of the NinjaFirewall plugin, it also provides rules for specific vulnerabilities. Unlike Wordfence, it did promptly add a rule for this and testing confirmed that their plugin blocks the exploit attempt. They don’t require a paid service to get their rules promptly.
Our Plugin Vulnerabilities Firewall plugin doesn’t include rules for specific vulnerabilities, as we don’t think that using a firewall to address known vulnerabilities is a good idea for several reasons. Our service warned customers if they were still using a vulnerable version of the plugin at the time the exploit was disclosed. The service also provides them the option of having plugins automatically updated if we have determined that the a vulnerability exists and has been fixed. We also strongly and repeatedly recommend keeping plugin up to date at all times, instead of suggesting that you should update specific plugins, as Wordfence does.