WPScan Ignores That Security Issue From Website of Their Boss, Matt Mullenweg, Played Vital Role in WordPress Websites Being Hacked
Two days ago, a news story about WordPress websites being hacked was published titled “Hunk Companion WordPress plugin exploited to install vulnerable plugins.” The last part of that is important, but was largely ignored in the story. With the only mention saying that “While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console.” That plugin was closed on the WordPress Plugin Directory on October 21.
But the logging for the hacking shown in the source for the story was from November 27. How could the plugin be installed if it was closed over a month before?
The source for the news story was WPScan, which is owned by Automattic. That would be the Automattic run by the head of WordPress, Matt Mullenweg. Their post doesn’t really explain how a closed plugin could be installed either. It says this:
On line 204, the following code demonstrates that the WordPress.org URL is hardcoded, restricting installations to plugins hosted on the WordPress.org repository:
$temp_file = download_url(‘https://downloads.wordpress.org/plugin/’.$slug.’.zip’);
However, this URL allows the download of plugins, even if they have been closed or removed from the repository. This behavior introduces a significant vector for exploitation, enabling attackers to install vulnerable plugins.
What is going on there is that when plugins on the WordPress Plugin Directory are closed, you can still download them. That is true even if they were closed for a security issues. This is a known problem. We wrote a post about that very issue in March 2022. Like so many security issues connected with the plugin directory, it hasn’t been resolved despite the ease of doing that. So who is responsible for that? Matt Mullenweg. Here was how his own lawyers put that on October 22:
WordPress.org is not WordPress. WordPress.org is not Automattic or the WordPress Foundation, and is not controlled by either. To the contrary, as Plaintiff itself acknowledges, WordPress.org is Mr. Mullenweg’s responsibility.
So WPScan was ignoring that their boss’ inaction played a vital role in websites being hacked.
At the end of the post they didn’t list fixing that issue as a part of the solution:
As WordPress remains the most popular content management system in the world, such vulnerabilities serve as a stark reminder of the ongoing challenges in maintaining site security. It’s imperative for developers, site owners, and plugin authors alike to adopt proactive measures, such as regularly updating plugins and themes, auditing for known vulnerabilities, and disabling unused or unnecessary extensions.
You have to wonder if of the author of the post is even that familiar with WordPress as they seem to be referring to plugins as extensions at one point in that. That would line up with them completely missing that the developer of one plugins involved still isn’t properly implementing security in code that was included in the post.
We should note that WPScan ignoring that there is a WordPress security problem that could be fixed is hardly an issue confined to them. It is par for the course for most of the WordPress security industry. The simple explanation for this is many of theses companies are geared toward profiting off of insecurity instead of offering solutions that would make things more secure. Instead of covering that, supposed journalists promote the worst offenders even when they are putting websites at risk.