Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist
One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Part of what that is showing is that hackers are trying to exploit falsely claim vulnerabilities that are really old. One of those involved a plugin named YouSayToo auto-publishing plugin, which was closed on the WordPress Plugin Directory so long ago the date it was closed isn’t even listed. The plugin was last updated 12 years ago. Here was the exploit attempt sent to a customer’s website:
/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=</script><script>alert(document.domain)</script>
That involves an attempt to exploit a claimed vulnerability that was disclosed in June 2012.
Looking at the plugin’s code, there isn’t anything that matches with what that would be attempting to exploit, as that involves malicious user input from the GET input “submit”. The closest we could find is that the POST input “submit” is used, but not in way that is relevant to the supposed vulnerability.
Just to be sure, we tried the exploit attempt, which matches the proof of concept from the vulnerability claim, and it didn’t work.
WPScan and Wordfence Spread False Claim
The hacker isn’t the only one getting things wrong here. One of our competitors, WPScan, is claiming the vulnerability existed:
So is another, Wordfence, despite claiming their data is “impeccable”:
Almost All Exploit Attempts Fail on Their Own
One important takeaway from this is to not focus on the number of exploit attempts against websites, which is something that security providers trying to scare you often do. Almost all exploit attempts fail on their own. So exploit attempts are largely noise and blocking a lot attempts isn’t necessarily meaningful. It could be that a security solution stops at lot of things like this exploit attempt, but fail to stop vulnerabilities when it really matters. The results of testing we do of WordPress security plugins certainly shows that many of those will fail to protect websites against real vulnerabilities.