Yesterday over at our main blog we noted how the web security company SiteLock and their web hosting partner 123 Reg, a GoDaddy brand, are making baseless claims as to the likelihood of websites being hacked to try scare customers in to purchasing SiteLock security services. In the meantime they and others in the security industry were also taking a minor security vulnerability discovered by SiteLock in a WordPress plugin that is used with WooCommerce and using misleading information to make it sound like a much bigger threat.

To see what happened let’s start with an article on the Threatpost, which is Kaspersky Lab’s news website. The article is titled Reflected XSS Bug Patched in Popular WooCommerce WordPress Plugin. No where in the post is there anything to backup up the claim this plugin is all that popular, instead the article makes a confusing mention of the claimed usage of WooCommerce:

An extension of the WooCommerce WordPress plugin, used by 28 percent of all online stores, has been patched against a reflected cross-site scripting vulnerability.

In the ranking of plugins available for sale through the WooCommerce Extension Store, the plugin is the 45th most popular plugin.

What is important to note is that is the risk from a vulnerability has little to do with its popularity, but instead is largely based on the type of vulnerability. As we will get to in a little bit, this type of vulnerability is not one that is a major concern due to not being likely to be exploited.

The focus on usage wasn’t just something that author at the Threatpost was focused on, SiteLock tried to find it out for the “purposes of accurate impact disclosure”, despite that not being a major factor in the impact.

Next up in inaccurate information in the post is this:

“At the time of discovery it was a zero day on the current version,” said Logan Kipp, WordPress evangelist for security vendor SiteLock. “If this was discovered by someone else, it could have been a real problem.”

A zero-day vulnerability is one that is being exploited before the developer is aware of it; it isn’t just a vulnerability that has yet to be fixed. Real zero-day vulnerabilities are very serious issue since keeping your software up to date won’t protect you against them at first, which seems to have lead to many in the security industry to use the term incorrectly.

The next section makes the vulnerability sound really concerning:

“Theoretically, this is weaponizable by sending a crafted link to any party who has a set of logins on that website,” Kipp said. “And if they have an active session, you could hijack that session.”

An attacker could email that crafted link to an already established vendor on a site running WooCommerce. If the vendor is logged in and clicks on the link, an attacker could capture the session and run scripts on the vendor’s browser, taking control of any functionality they have, Kipp explained.

“The chances are very high that if they are the webmaster, they’re going to be logged in at the time of clicking the link and they’re going to have very high privileges,” Kipp said. Kipp characterizes XSS as a tool to gain higher privileges.

“It’s a means to go further, a foothold,” he said. “So while in itself it may not cause any direct damage to the website, we could potentially gain administrator privileges by hijacking sessions.”

The keyword there though is theoretical, because we just don’t see reflected cross-site scripting (XSS) vulnerabilities being exploited against the average website at this time. That could change at some point and it is possible that it could be used in a targeted attack.

What isn’t mentioned in any way in that article or SiteLock’s own article about this and is a possible partial explanation why you don’t seem much targeting of this type of vulnerability, all of the major webs browsers other than Firefox have protection against this type of vulnerability through XSS filtering. So to exploit them you would have to hope the exploitee was using Firefox or come up with a way around the protection provided by the web browser (or multiple ones to get around different protection in different web browsers).

If the SiteLock employee had left their comments with the above it would have been accurate, but they didn’t:

“A lot of times it’s overlooked because people don’t take it seriously. It’s a huge problem because folks don’t always grasp that maybe it can’t modify the website itself, but this is a perfectly weaponizable vector to target visitors,” he said.

This type of vulnerability isn’t a huge problem since it is unlikely to be exploited and isn’t a perfectly weaponizable vector.

Wordfence Jumps in

In what shouldn’t be surprising to anyone that is mildly familiar with the WordPress focused security company Wordfence, in their coverage of this vulnerability they passed along to their readers inaccurate information. Here is the first paragraph:

A reflected cross site scripting vulnerability has been reported in a premium WordPress plugin for WooCommerce known as the ‘Product Vendors‘ plugin. This plugin is used by 28% of all online WooCommerce stores.

As mentioned earlier the 28% really refers to claimed usage of WooCommerce, not usage of the plugin.

Further in to the post they make the claim that vulnerability “will be exploited”, despite the fact that there is very little likelihood of that:

If you are running an older version of the Product Vendors plugin, it is important that you upgrade immediately to avoid having your site exploited. This vulnerability is now public and will be exploited by attackers.

While they make a claim that their plugin will protect against this type of vulnerability (without providing any evidence), they make no mention that web browsers provide protection:

If you are using Wordfence it is unlikely that your site is exploitable because Wordfence includes advanced XSS protection for our free and paid customers.

Also worth noting is that they make no mention that SiteLock discovered the vulnerability, which seems to be in rather bad form.

Overall it looks like Wordfence saw this as a way to market their service and either they don’t have the capability to provide accurate information when it comes to security or they intentionally are misleading people. Based on everything we have seen from them, either seems possible, which doesn’t speak well to the state of WordPress security when you consider they are the company behind the most popular security plugin.

Why This is a Problem

When you strip out the false information included in the articles the problem with this type of coverage of vulnerabilities can be seen in another part of the Wordfence article:

Product Vendors version 2.0.35 is affected by the vulnerability. If you are using this plugin, you need to upgrade immediately to at least version 2.0.36, which includes the fix. The current version of Product Vendors is 2.0.40.

In the Product Vendors changelog, they do not mention that a vulnerability was fixed. The changelog entry for 2.0.36 simply says:

2017-07-28 – version 2.0.36
* Fix – Adjusts how we handle the vendor registration form validation.  

The takeaway from that should be that you should be keeping you plugins up to date at all times, since if this vulnerability was as serious as these security companies make it sound you would have left your website insecure for over a month if you relied on them telling you to update it instead of just updating it. Wordfence doesn’t seem to understand the importance of keeping plugins up to date seeing as they are not telling people they need to update to the latest version of the plugin despite knowing that they were unaware until a month after the fact that the version they are telling people to update to now, contained a security update.

The situation get worse when you consider that many more serious vulnerabilities don’t get covered. For example, we haven’t seen coverage of a real zero-day vulnerability in the plugin Asgaros Forum that was being exploited a couple of weeks ago. What also doesn’t get much coverage are vulnerabilities that haven’t been fixed, which are ones that could use news coverage because simply keeping your plugins update to date won’t protect you. As an example of that, on Tuesday we disclosed that a PHP object injection vulnerability, which is one that is much more likely to be exploited than a reflected XSS vulnerability, exists in the current version of a security plugin with 6,000+ active installs.