One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website.

The latest addition to our advisories involves a developer, Artbees, that not only is failing to properly secure one of their plugins, but left 90,000+ websites open to being hacked for two weeks because they simply didn’t provide an existing update to those websites.

Wordfence Discloses Vulnerability Without Fix Available

Two weeks ago the WordPress security company Wordfence started off a blog post writing this:

On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.

The plugin developers quickly replied and we sent over the full disclosure on the same day. Fully patched versions of all vulnerable components were made available on May 10, 2022.

The reality of the situation turned out to differ greatly from that. While they referred to this as responsible disclosure and claimed the vulnerabilities were patched at the time of disclosure, the plugin Jupiter X Core hadn’t been updated on the WordPress Plugin Directory in 9 months and the most serious vulnerability they disclosed existed in that version of the plugin available there. That meant that 90,000+ websites were open to being hacked. We saw what looked to be hackers probing for the plugin the same day, so there likely was immediate exploitation based on Wordfence’s disclosure.

Wordfence’s post oddly emphasizes that the developer quickly replied to them, but downplays that they didn’t fix the issues for over a month.

We had contacted the developer, Artbees, about the lack of an update the same day as Wordfence disclosed things, but never even heard back from them. It was until Wednesday, June 1, that the developer finally updated the plugin there.

Once the new version was released, we could check over the current state of the plugin. What we found was that Wordfence hadn’t warned people that the plugin still contains many vulnerabilities.

In a separate post, we detailed one example of the remaining vulnerabilities, which allows anyone logged in to WordPress to cause the website to be reverted to a previous database backup. The vulnerability involve same file and access type that most serious vulnerability Wordfence disclosed does, making it hard to understand how both Wordfence and the developer missed it, but they did.

Another instance of a security vulnerability in the plugin involved functionality that the developer merged from another of their plugins, which allows anyone logged in to WordPress to upload files. So multiple plugins from the developer look to be insecurely developed.

Instead of advising people to continue to use a very insecure plugin, but update it to address some vulnerabilities, as Wordfence did here. We would recommend avoiding plugins from Artbees unless they can show that they have gotten a handle on properly securing their plugins.