Earlier today we disclosed that two WordPress plugins developed by Facebook have vulnerabilities due to failing to do security basics. While these are relatively minor vulnerabilities, Facebook has introduced vulnerabilities on quite a few websites, as one of those has 20,000+ installs and the other 200,000+. In another of their plugins with 100,000+ installs there is minor security issue due to a security basic involved in the vulnerabilities in the other two, though we wouldn’t classify it as vulnerability due to what can be accomplished with that.
In our previous post we detailed our running across a vulnerable WordPress plugin made by Facebook with 200,000+ installs, after noticing that we did a quick check to see if any other there other plugins had similar issues. We found that their plugin Messenger Customer Chat, which has 20,000+ installs, contains a similar vulnerability, though in this case the code is even less secure.
The line between the open source project WordPress and the company Automattic is often blurry. You can find journalists referring to the latter as owning the former, despite that not being true. The person who resigned a couple of week as the Marketing and Communications Lead for WordPress mentioned that they were often assumed to be an Automattic employee or as the token non-Automattic team member:
One of the big problems with trying to get real security issues surrounding WordPress dealt with is that it is hard to get attention them when so much attention is paid to supposed security issues that don’t exist or are not realistic threats. In our monitoring of the WordPress Support Forum to keep track of indications of vulnerabilities in WordPress plugins for our service we ran across a new example of that today. Several days ago a plugin was introduced to the Plugin Directory named WP Disable Site Health with this description:
In a continuation of our recent running across of plugins that work WooCommerce being insecure and in many cases being targeted by hackers, we had what appears to be a hacker probing for usage of the plugin Dropshix, which has the slogan “WooCommerce + Dropshipping Made Simple”, on our website recently and in looking over the plugin we found much of its admin functionality is insecure. These continuing problems are good reminder of the security risk surrounding plugins that extend WooCommerce functionality. Our main service can keep you alerted to publicly known vulnerabilities whether they are things we find because hackers are targeting them or otherwise disclosed. We also offer security reviews so that you can get the security of the plugins you use reviewed before hackers might come across vulnerabilities in them.
As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. A week ago that led to us running across two plugins with unfixed vulnerabilities. One of those plugins was closed on the WordPress Plugin Directory on May 9. In the past day we had saw a hacker probing for another plugin that was closed on the same day, Real Estate Manager – Property Listing and Agent Management.
When it comes the security of WordPress plugins the unfortunate reality is that the same problems occur over and over and yet it seems we are largely alone in being interested in trying to take actions to address those. One of the issues with that is that what we can do is limited, most of the changes require the people in charge of the Plugin Directory being willing to work with others to fix them, which isn’t happening as they seem to be detached from reality and are unwilling to even acknowledge the problems exist, much less discuss making changes to fix those problems.
When it comes to WordPress security plugins, not only do they often not provide much, if any, security against threats that really impact a website, but they can actually introduce security vulnerabilities of their own. That is the case with the plugin LionScripts: IP Blocker Lite, which is described as:
One of the things we do during security reviews of WordPress plugins is to check if .php files that are not intended to be directly accessed are protected against direct access of them. The lack of that usually makes no difference, but it is an easy way to avoid or limit vulnerabilities, like the local file inclusion (LFI) vulnerability our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Revamp CRM for WooCommerce.
This post provides the details of a vulnerability in the WordPress plugin Finale Lite -Sales Countdown Timer & Discount for WooCommerce not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.