Wordfence Security and Wordfence Premium Fail to Provide Protection Against Vulnerability in Targeted Plugin
The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time” protection:
Wordfence Premium customers receive new firewall rules the moment our threat intelligence team releases them. When attackers invent new techniques to exploit WordPress, we deploy firewall rules to protect our Premium customers in real-time. With Wordfence Premium, you are protected from the newest exploits as we discover them.
Yet we have found again that the plugin and the service have failed to provide protection which matches those claims.
Authenticated Arbitrary File Upload Vulnerability in Targeted Plugin
In late March we noticed what appeared to be a hacker probing for usage of the WordPress plugin Pie Register on this website. While there was a vulnerability disclosed in October that could have explained a hackers interest, we wanted to make sure there wasn’t an obvious unfixed vulnerability that might be targeted by a hacker in the plugin.
Among the vulnerabilities we found was one that hackers would be interested in exploiting, as it allowed anyone logged in to WordPress to load arbitrary files on to the website using a plugin installation capability. A hacker could use that to upload malicious files to the website and then do anything they want with the website.
We publicly warned about that vulnerability and the others we found on March 28.
The vulnerability was subsequently only partially fixed, so it is possible to exploit it in limited circumstances even when using the latest version of the plugin.
How Wordfence Could Provide Protection
That vulnerability would be something that the Wordfence Security plugin should protect against, if it is living up the claims being made by the developer. Especially considering that two weeks later, they referred to a substantially similar vulnerability as a “critical” vulnerability.
The Wordfence Security plugin can provide protection either through a rule written for the specific vulnerability or by through general protection that would protect against this type of vulnerability more generally.
Here, general protection is possible, as we implemented it in our firewall plugin a month after we ran across the vulnerability. Wordfence isn’t implementing general protection in many situations where it is possible (possibly because they make their money by selling rules for specific vulnerabilities), so it would be more likely that they would provide protection through a rule written for the specific vulnerability.
If they did the same type of monitoring we do, which would be a reasonable expectation based on how they market themselves, then they could have added protection through a rule even before our public disclosure. We have seen no indication that they do that, though, so the soonest would be after our public warning.
No Protection Provided
Wordfence provides new rules for their firewall to their Wordfence Premium customers for the first 30 days, so you can trace back when and if protection was added for customers of that by seeing when and if it was added to their free data. 30 days from March 28 was April 27. So far, no rule has been added to protect against this vulnerability.
They have now also had over three weeks to have added general protection against this by simply copying what we have implemented in our plugin.
Testing we did today confirms that Wordfence Security doesn’t currently provide protection against the vulnerability.