Last Thursday we started warning any customers of our service using the plugin ND Shortcodes (ND Shortcodes For Visual Composer) that there were a couple of vulnerabilities in the plugin. We warned them on the basis of one of them being fixed in a new version with the changelog “Improved nd_options_import_settings_php_function function for security reasons” (the second vulnerability is related to the fixed one). Those not using our service were not so lucky, as the plugin was at the time and remains closed on the WordPress Plugin Directory, so it isn’t possible to update the plugin normally to protect against the fixed vulnerability (we are always available to help our customer to update to a new version in a situation like that).

If you were relying on the main competing data source for vulnerabilities in WordPress plugins, the WPScan Vulnerability Database, even now you are not getting warned:

That is striking as we have now had multiple ways we monitor for indications that vulnerabilities in WordPress plugins are being exploited that have provided indications that the fixed vulnerability is being exploited. Based on what we now know it seems reasonable to assume it was being exploited at lower scale before it was fixed. Something that came up in the monitoring is a reminder that while plugin developers are not properly securing their plugins and causing vulnerabilities like that to exist, that other parties are also playing a role it leading to websites being hacked due to vulnerabilities like this.

Yesterday, a topic was created on the support forum for the plugin on the WordPress website with this message:

Our site has been hacked three separate times in July. Each time a new admin user was created, WP settings were changed to allow new user creation, and then redirect the website elsewhere.

After reviewing log files, each time, it came down to a plugin included with this theme, “ND Shortcodes”, your own custom written plugin. Suspiciously, this plugin has just been removed altogether from the WordPress plugin directory on July 24, 2019 without any explanation or warning.

You have an obligation to folks using your themes and your plugins to warn them about exploits of your themes and plugins. Please provide clarity as to why your plugin was removed from the public directory and why no updates have been applied to fix this exploit.

Starting at the end of that, the developer had in fact provided an update to fix the vulnerability being exploited and the changelog indicated that it was security related. The developer can’t control the team running the Plugin Directory have not made that available. It appears that team now have the capability to provide an update to existing users of a plugin without having to make the plugin available for new installs, yet they don’t seem to be using that in situations like this, where it would help to protect websites from being hacked. For whatever reason that team is able to get away without any accountability for their poor handling of situations like this. Certainly helping them accomplish that is that they also control the moderation of the Support Forum, so they can shut down discussions that raise problems with how they handle things.

What else stands out there to us is that person doesn’t provide an indication that they made any attempt to contact the developer when they saw a connection between the plugin and a website being exploited multiple times. How is the developer supposed to address a situation like that if they are not notified that there is an issue? It could be worse, one of the two security companies that moderators of the Support Forum continually promote, intentionally doesn’t even try to determine how websites are hacked.

In a follow up that same person wrote this:

Thanks for the heads up. I was told to update to 5.9 as well, but am not clear if that version is actually fixed or not. So far the support here and on Themeforest has been dismissive. I have yet to communicate to an actual developer, just the low-level, non-tech support staff who have no clue. The comments you reference on TF are now not even publicly viewable (“This comment is currently being reviewed.”).

They are definitely trying to hide and cover up the fact that their plugin and theme was hackable or had/has problems. Unfortunate to see.

I just want an explanation from the author here.

With our service we are always available to answer any questions about vulnerabilities that are in our data set, with the response coming from someone that is well versed in the details of the vulnerability, so our customers don’t have to wonder out loud what is going on.

Protecting Yourself

Unfortunately there isn’t an obvious path to get to a point where situations like this are better handled by others in the process. If someone has an idea how to get things improved we are all ears and would be interested in helping (we have repeatedly offered to help the team running the Plugin Directory improve their processes, to no avail).

In the meantime we provide multiple options to better deal with all that. In the worst case where a website has been hacked, we offer a service over at our main business for properly cleaning up hacked WordPress websites that involves trying to figure out how it got hacked and resolving that. Our main service will provide you with prompt notifications when vulnerabilities like this are known about publicly in plugins you use, even in instances where very limited information is available as was the case here. To have the security of plugins reviewed before hackers do that the customer of that service are able to vote for plugins to receive security reviews from us and we offer separate service for getting a security review of a plugin done as well.