Login
13 Aug 2021

Only Two WordPress Security Plugins Prevented Enabling User Registration Through Unfixed Option Update Vulnerability

As part of developing our upcoming firewall plugin for WordPress, we have implemented a feature to limit a hacker’s ability to exploit option update vulnerabilities. That is a type of vulnerability that allows a hacker to change arbitrary WordPress settings (options). This is a capability that has existed in the plugin NinjaFirewall for some time. Unfortunately, as we confirmed a couple of years ago, the developer overstated what was possible with it, claiming that it protected against the type of vulnerability, without qualification, when that wasn’t true. In reality, we found that it provided some protection, but not only was it limited in scope, it turned out the protection was easy to bypass by changing the option for the plugin’s settings, due possibly to protection not being fully thought through or due to offensive testing having not been done.

To make our feature as useful as possible, as many options that might be of interest to mass hackers as possible should be restricted being changed if the request to change them is not coming from a user with the manage_options capability. Finding out what existing security plugins were providing this type of protection would be helpful in doing that. Through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, we spotted an authenticated variant of that type of vulnerability in a plugin in May. That vulnerability still hasn’t been fixed as version 1.8.2.6, which was released yesterday.

This particular vulnerability only allows updating the value to true or false, which limits what can be done with it, but it would allow for turning on user registration, which is something that hackers are well known to do with this type of vulnerability (combining doing that with changing the role that new users have).

The result of the testing wasn’t helpful for improving the features, as it turned out that only two plugins appear to have it. As only our Plugin Vulnerabilities Firewall and NinjaFirewall prevented exploitation.

NinjaFirewall currently limits the ability to change the following 14 WordPress options:

  • admin_email
  • blog_public
  • blogdescription
  • blogname
  • comment_moderation
  • comments_notify
  • comment_registration
  • default_role
  • home
  • mailserver_login
  • siteurl
  • template
  • stylesheet
  • users_can_register

While not handled among those, the developer of NinjaFirewall added protection against the bypass we found two years ago.

If you have any suggestions of other options that should be protected in this way, please let us us know.

Testing Procedure

For each of the tested plugin we set up an install of WordPress 5.8, installed version 1.8.2.6 of Content Mask and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We used the proof of concept provided in our disclosure of the vulnerability in the exploit attempts.

The 25 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Only two plugins provided protection, our Plugin Vulnerabilities Firewall and NinjaFirewall.

The full results are below:

All In One WP Security & Firewall

Result: Failed to prevent exploitation.

Anti-Malware Security and Brute-Force Firewall

Result: Failed to prevent exploitation.

AntiHacker

Result: Failed to prevent exploitation.

BBQ Firewall

Result: Failed to prevent exploitation.

BulletProof Security

Result: Failed to prevent exploitation.

Clearfy

Result: Failed to prevent exploitation.

Defender

Result: Failed to prevent exploitation.

Hide My WP Ghost Lite

Result: Failed to prevent exploitation.

iThemes Security

Result: Failed to prevent exploitation.

Jetpack

Result: Failed to prevent exploitation.

MalCare Security

Result: Failed to prevent exploitation.

NinjaFirewall

Result: Prevented exploitation.

Plugin Vulnerabilities Firewall

Result: Prevented exploitation.

SecuPress Free

Result: Failed to prevent exploitation.

Security by CleanTalk

Result: Failed to prevent exploitation.

Security Ninja

Result: Failed to prevent exploitation.

Shield Security

Result: Failed to prevent exploitation.

SiteGround Security

Result: Failed to prevent exploitation.

SiteGuard WP Plugin

Result: Failed to prevent exploitation.

Sucuri Security

Result: Failed to prevent exploitation.

Titan Anti-spam & Security

Result: Failed to prevent exploitation.

Wordfence Security

Result: Failed to prevent exploitation.

WP Cerber Security, Anti-spam & Malware Scan

Result: Failed to prevent exploitation.

WP Hardening

Result: Failed to prevent exploitation.

WP Hide & Security Enhancer

Result: Failed to prevent exploitation.

No related posts.

Plugin Security Scorecard Grade for BBQ Firewall

Checked on June 17, 2025
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for BulletProof Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Clearfy

Checked on August 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Defender

Checked on November 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Jetpack

Checked on November 24, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for MalCare Security

Checked on November 7, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for NinjaFirewall

Checked on June 12, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Security Ninja

Checked on April 1, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Shield Security

Checked on January 19, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Sucuri Security

Checked on June 14, 2025
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Titan Anti-spam & Security

Checked on June 20, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.