Another Fake Vulnerability in Wordfence Security Is Still Being Targeted 4 Years On
Yesterday, we looked at a hacker’s attempt to target an apparent vulnerability in the WordPress security plugin Wordfence Security that turned out to have never existed. We looked at that because our own firewall plugin had blocked attempts to exploit that. It isn’t the only fake vulnerability that hackers are trying to exploit in Wordfence Security years after the false claim was made.
On our own website, the firewall plugin blocked this request recently:
/wp-content/plugins/wordfence/lib/wordfenceClass.php?file=/../../../../../../etc/passwd
That relates to a claim from February 2020. Which claims that the vulnerability was in version 7.4.5 of the plugin.
Like the other claimed vulnerability, the exploit won’t succeed for multiple reasons.
The first issue is that there is a .htaccess file in place that restricts directly accessing the relevant file, /lib/diffResult.php, if you are using the Apache web server or another web server that utilizes .htaccess files. Even without that, the claimed vulnerability involves code in the file that won’t run when accessing the file directly.
The supposedly vulnerable code exists in the file wfFunc_download(), which is only called in the file by the function templateRedir(), which in turn runs when WordPress is generating a page at the template_redirect stage:
1119 | add_action('template_redirect', 'wordfence::templateRedir', 1001); |
That wouldn’t happen when loading the file directly.
It appears the claim of a vulnerability came from someone who really didn’t know what they were doing. The code they are claiming is vulnerable is a part of a function that is intended to allow downloading files, so whether it was vulnerable would depend on how it could be accessed. It would appear they didn’t understand the relevant code at all and then didn’t bother trying their own proof of concept to see it didn’t work.
The same lack of checking also occurred with the hacker trying to exploit this. That is one of the reasons that hacking attempts are rarely successful. That is something that the developer of the Wordfence Security plugin hides from their users by not disclosing that many of the attacks they stopped would have been successful anyway. Better developed security plugins, like our own firewall plugin, can provide notice whether a hacker is trying to exploit a vulnerability that never really existed.