Wordfence Security and Wordfence Premium Fail to Provide Protection Against Privilege Escalation Vulnerability in Targeted Plugin
The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time” protection:
Wordfence Premium customers receive new firewall rules the moment our threat intelligence team releases them. When attackers invent new techniques to exploit WordPress, we deploy firewall rules to protect our Premium customers in real-time. With Wordfence Premium, you are protected from the newest exploits as we discover them.
Yet we have found again that the plugin and the service have failed to provide protection which matches those claims.
Privilege Escalation Vulnerability in Targeted Plugin
At late November we noticed what appeared to be a hacker probing for usage of the WordPress plugin Content Studio in third-party data we monitor. In looking into what might explain that, we found a privilege escalation vulnerability that would allow an attacker to set a security token and then, among other things, create new posts on the website. We publicly warned about that vulnerability on November 28.
As we noted at the time, other data providers on vulnerabilities in WordPress plugins had failed to warn about that vulnerability, despite marketing claims that you would be the first to know about vulnerabilities with their services.
While the plugin’s developer has since changed the code to address the vulnerability, WordPress still hasn’t made that version available for download, so those already using the plugin are still vulnerable.
How Wordfence Could Provide Protection
Unlike lots of vulnerabilities in WordPress plugins that are widely exploited by hackers, it seems unlikely that general protection could be created to protect against what was at issue here. What could easily be done in this situation is to write a firewall rule to protect against this, which is exactly what Wordfence claims to provide with their Wordfence Premium service.
No Protection Provided
Wordfence only provides new rules for their firewall to their Wordfence Premium customers for the first 30 days, so you can trace back when and if protection was added for customers of that by seeing when and if it was added to their free data. 30 days from November 28 was December 28. So far, no rule has been added to protect against this vulnerability.
Testing we did today confirms that Wordfence Security doesn’t currently provide protection against the vulnerability.