AI Can Help to Catch Vulnerabilities in WordPress Plugins, but It Doesn’t Change Developers Bad Handling of Them
A week ago, the developers of the 200,000+ install WordPress plugin Fluent Forms tried to address a security issue in the plugin, but failed, leaving a vulnerability in the plugin. You wouldn’t know about that from various WordPress plugin vulnerability data providers that claim they have the most comprehensive data (Wordfence) or to be the first to warn about vulnerabilities (WPScan and Patchstack), since they haven’t warned their customers about this yet. You wouldn’t know about that from the changelog for the plugin, since the developer didn’t disclose it. If they had fixed the issue, there would still be a problem, since they didn’t bump the version number when they made the change, so those already on the latest version wouldn’t have gotten the upgrade.
As at least one of our customers is using the plugin, a machine learning (artificial intelligence (AI)) based system we created reviewed the relevant change and flagged it as possibly fixing a vulnerability. We manually reviewed the change and saw that the developer had applied the wrong security change (more on that coming in a separate more technical post about the issue more generally). Saturday, we confirmed that this was an exploitable vulnerability (and not just a security issue), notified the developer of the issue and offered to help them fix it, and warned our customers that the plugin is vulnerable.
The first response we got from the developer on Monday was rather unclear, but it seemed they were claiming that there wasn’t an issue because of sanitization, which doesn’t address the problem. Confusingly, they also referred to it as a vulnerability. We followed up explaining that the sanitization didn’t address this and that there was actually a vulnerability. They said that this would be addressed in the next update, which still isn’t out.
For our customers using this plugin they are relatively secure, since they were promptly provided the information needed to ascertain the risk they have because of this vulnerability and they have the ability to reach out to us if they need additional information or need help in protecting themselves. The same can’t be said for those relying on other providers, which is a good reason for anyone needing additional security from a service like those to make sure that the provider is doing the work they claim to. As this situation shows, other providers are making overstated claims as to what they are really offering. It also shows the need for even more monitoring of plugin changes, as we currently only run that machine learning system against plugins used by our customers and plugins with a million or more installs. With other providers, they are not even checking to make sure vulnerabilities that have been disclosed have been fixed, which recently led to many websites being hacked unnecessarily.