During the weekend an apparent hacker made multiple requests on our website for a file that would be located at /wp-content/plugins/google-listings-and-ads/vendor/googleads/google-ads-php/scripts/print_php_information.php. That would be a file that would be part of the Google for WooCommerce, which is developed by the company from the head of WordPress, Automattic. That file turned out to be in two other plugins, one of which is still vulnerable and still in the WordPress Plugin Directory. Something that WordPress and other WordPress security providers have missed. It also is still in the library from Google that it is originally from.

The file doesn’t exist in the current version of Google for WooCommerce. It was removed from the plugin in version 2.8.7, which was released on November 14. In the changelog, that change was described as “Fix – Remove a Google Ads API vendor file that prints php information.” The contents of the file before that were:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

<?php
 
/**
 * Copyright 2020 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 
/**
 * Prints whether a given extension is installed or not and its version when it is installed.
 * @param string $extensionName the name of the extension to print information about
 */
function printExtensionInformation(string $extensionName)
{
    $isInstalled =  extension_loaded($extensionName);
    printf(
        'The PHP Extension %s is %sinstalled%s%s',
        $extensionName,
        $isInstalled ? '' : 'not ',
        $isInstalled ? ': ' . phpversion($extensionName) : '',
        PHP_EOL
    );
}
 
// Prints the general information about PHP.
print '================= PHP GENERAL INFORMATION' . PHP_EOL;
phpinfo(INFO_GENERAL) . PHP_EOL;
 
// Prints information about the two optional PHP Extensions.
print '================= PHP EXTENSION INFORMATION' . PHP_EOL;
printExtensionInformation('grpc');
printExtensionInformation('protobuf');

That code will output the results of phpinfo() for “The configuration line, php.ini location, build date, Web Server, System and more.” So it disclosed some information that shouldn’t be disclosed. Not a serious issue, but a vulnerability all the same.

That file comes from Google’s Google Ads API Client Library for PHP, which still includes the file. There doesn’t appear to have been an issue opened about that on the library’s GitHub project, so we opened one. Google hasn’t created a security policy for the library, which could suggest an alternative way to report that.

Two other plugins in the WordPress Plugin Directory have contained that. One is Muzaara Google Ads Report, which was closed on the directory on December 30, 2024 for an unspecified security issue. The other is Muzaara Content API Google Data Feed, which still contains the file and is still in the directory. We have reached out to the developer about that.

Security Providers Didn’t Fully Vet This

What makes the apparent lack of attempt to broach this with Google and a vulnerable plugin remaining in the plugin directory stand out, is that competitors of ours have known about this for months, but didn’t take action. There are listings from Patchstack, Wordfence, and WPScan. (WPScan is owned by Automattic) That they didn’t do that isn’t all that surprising, as they make impressive sounding claims about concern for security, but as Patchstack admits in the fine print, they fail to do basic due diligence. All three credit a supposed security researcher who also didn’t take action here, which is now something we are adding to our warning about the researcher Francesco Carlucci as part of our new database on WordPress security researchers.

Plugin Security Scorecard Grade for Patchstack

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for WPScan

See issues causing the plugin to get less than A+ grade