Search Engine Journal’s Roger Montti Spreads Patchstack’s Misinformation About the Security of WooCommerce Plugin
A frequent source of news media misinformation on vulnerabilities in WordPress plugins is someone named Roger Montti, who writes for the Search Engine Journal. Why someone that describes themselves as a “search marketer” writing for a news outlet unrelated to security is writing about those we don’t know. Whatever the reason, his stories on the subject get included in Google News and spread on social media.
Mr. Montti’s WordPress plugin vulnerability stories are often wrong in multiple different ways and in ways that indicate he is not familiar with the subject matter (not surprising considering his non-security background). We tried in the past to gently suggest to him that information in stories was not entirely accurate, but he never corrected those stories and continued to make the same mistakes. He hasn’t gotten anyone else with knowledge of security to provide input for his stories either. The Search Engine Journal also doesn’t seem interested in addressing this, as we never got a response when we contacted them about a story from him that was outright false.
His latest story on the subject, “Vulnerabilities Discovered in Five WooCommerce WordPress Plugins“, continues that misinformation. The first line of the story is misleading:
The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins affecting over 135,000 installations.
What he is referring to is actually the National Vulnerability Database (NVD) simply republishing information from the CVE, which in turn in the entry we will look closer at, is simply republishing information from Patchstack. We have mentioned that to Mr. Montti in the past, but he keeps misleading as to the original source of the information he is citing.
Let’s take a look at the first supposed vulnerability he mentioned in his story, which involves the plugin with vast majority of the overall install count, with 100,000+ installs according to WordPress.
First, he claims that the plugin Advanced Order Export for WooCommerce had contained a cross-site request forgery (CSRF) vulnerability and he accurately describes what CSRF entails:
The Advanced Order Export for WooCommerce plugin, installed in over 100,000 websites, is vulnerable to a Cross-Site Request Forgery (CSRF) attack.
A Cross-Site Request Forgery (CSRF) vulnerability arises from a flaw in a website plugin that allows an attacker to trick a website user into performing an unintended action.
The next paragraph has nothing whatsoever to do with what was just mentioned and it’s unclear why it is there:
Website browsers typically contain cookies that tell a website that a user is registered and logged in. An attacker can assume the privilege levels of an admin. This gives the attacker full access to a website, exposes sensitive customer information, and so on.
It also doesn’t make sense. It might be referencing cross-site scripting (XSS) or privilege escalation, it isn’t clear.
The next paragraph gets back to the vulnerability, but is fundamentally wrong:
This specific vulnerability can lead to an export file download. The vulnerability description doesn’t describe what file can be downloaded by an attacker.
As a CSRF vulnerability causes someone else to do something they didn’t intend, the claimed vulnerability wouldn’t allow the attacker to download anything. It would cause someone else who is allowed to download something to download it. That isn’t a vulnerability on its own.
It’s unclear what is going on here since Mr. Montti first seems to understand what CSRF is, but then acts as if it involves several unrelated things.
The original source for this claim is actually Patchststack. Here is their entry for this claimed vulnerability. Patchstack was able to issue a CVE ID, CVE-2022-40128, for this, despite it not being a vulnerability.
Patchstack isn’t a reliable source. In the past we have documented them, among other things, claiming that a vulnerability had been fixed when no changes were made to a plugin’s code and claiming that a vulnerability had been fixed five months before there was an attempt to address an issue. In both cases, there wasn’t even a vulnerability.
Journalists shouldn’t be running with claims made by Patchstack without getting a second source to confirm them. There wasn’t a second source for this story and Mr. Montti mislead people as the source of the claim being the US government instead of Patchstack.
A good reason for a second source is that he claims the vulnerability affected all previous versions of the plugin:
“Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.”
The vulnerability affects all versions of the Advanced Order Export for WooCommerce plugin that are less than or equal to version 3.3.2.
While the plain reading of the information would say that is true, what someone knowledgeable would tell him is that isn’t what it actually means is simply that version 3.3.2 was claimed to be vulnerable. Unreliable data sources like Patchstack, don’t actually look back to see what versions were vulnerable. They simply state that all previous versions were vulnerable, even if only a single version was vulnerable.