“Powerful Firewall Rules” Don’t Stop Exploitation of Reflected XSS Vulnerability in WordPress Security Plugin Shield Security
As part of refining our new Plugin Security Scorecard tool, we are very interested in making sure that the grading provided by that is useful. As we noted last month, an inspiration for our own tool, the OpenSSF Scorecard, doesn’t necessarily produce great results. To an extent, that a major company behind that doesn’t appear to care much about the scores. Currently, many security plugins get low grades with our tool, based on a combination of general issues and issues specific to security plugins. Seven of the graded security plugins currently have an F grade. Some because the plugins are themselves vulnerable. Others because of a litany of other issues with the plugins. One of those in the latter category is Shield Security. The F grade is based on the following issues:
- Base64 obfuscated content detected.
- The plugin’s changelog on the WordPress Plugin Directory is missing information on the latest version of the plugin, making it hard to know what changes have been made if any of those are security fixes.
- The plugin doesn’t contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.
- The plugin isn’t listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.
- The plugin blocked less than half of the exploit attempts from the Plugin Vulnerabilities Firewall regression testing suite the last time the plugin was tested, so it missing a lot of the protection it could, and another plugin is, offering.
- The plugin is being marketed with a strong claim (or claims) of efficacy without citing evidence that backs up the claim.
- The plugin isn’t providing a warning that its information on vulnerabilities in WordPress plugins is unreliable because it comes from a source known not to properly vet the information. That lack of vetting can lead to situations where a “fixed” vulnerabilty is subsequently widely exploited because there wasn’t really a fix.
- The plugin is spreading misleading information about brute force attacks against WordPress websites, which are not actually happening, and causing the WordPress community to not focus on real security threats.
That plugin getting a F grade seems reasonable considering how many security vulnerabilities are being found in the plugin. A couple of weeks ago, we talked about one of those after our own firewall plugin stopped an attempt to exploit one of those. What we didn’t focus on there is that Shield Security’s firewall wouldn’t stop the attack. It isn’t the only recent vulnerability where that is true. That brings us back to our scorecard.
One of the issues we identified with the plugin is that it “is being marketed with a strong claim (or claims) of efficacy without citing evidence that backs up the claim.” The developer makes multiple claims that are relevant to its firewall stopping attacks.
One advertised feature is:
Powerful Firewall Rules
The developer also makes this claim:
Shield is the only security plugin for WordPress that prioritises protection and intrusion prevention before repair. With Shield Security, your site will immediately to block visitors as they probe your site looking for vulnerabilities, and before they can do damage.
No other standalone WordPress security plugin (including Wordfence, WP Cerber, Ninja Firewall, All-In-One Security) approaches security in this way. The 1st step in any good security system is Intrusion Detection/Prevention, the 2nd step is repair. Shield Security does both.
In both cases, those claims don’t cite any evidence for the claim. They also are not at all true.
Another one of the issues our tool notes about the plugin is that it “blocked less than half of the exploit attempts from the Plugin Vulnerabilities Firewall regression testing suite the last time the plugin was tested.” The reason for that is that Shield Security’s firewall has been broken for a couple of years. Even when it worked, it provided little protection.
The claim about being the “only security plugin for WordPress that prioritises protection and intrusion prevention before repair” is just weird. One of the other cited plugins, NinjaFirewall doesn’t even have a repair capability. So it is only focused on protection.
With the latest vulnerability found in Shield Security, a reflected cross-site scripting (XSS) vulnerability, you know that things are bad, as it was found by a security provider who is so bad at reviewing the security of plugins they missed that their own plugin is obviously vulnerable. If Shield Security truly had powerful firewall rules as they claimed, it should stop the issues from being exploitable and therefore stop it from being a vulnerability, but it doesn’t. Our own firewall plugin does (and other firewall plugins should as well).
Another issue that we identified with the plugin is the lack of pointing to the results of a security review of the plugin. As we noted, “[a] well done security review would provide a good measure of the security of the plugin at the time it was done.” Based on all the vulnerabilities being found in the plugin, it seem highly unlikely that there has been a review done that just isn’t listed.