One of the big problems with trying to get real security issues surrounding WordPress dealt with is that it is hard to get attention them when so much attention is paid to supposed security issues that don’t exist or are not realistic threats. In our monitoring of the WordPress Support Forum to keep track of indications of vulnerabilities in WordPress plugins for our service we ran across a new example of that today. Several days ago a plugin was introduced to the Plugin Directory named WP Disable Site Health with this description:
In a continuation of our recent running across of plugins that work WooCommerce being insecure and in many cases being targeted by hackers, we had what appears to be a hacker probing for usage of the plugin Dropshix, which has the slogan “WooCommerce + Dropshipping Made Simple”, on our website recently and in looking over the plugin we found much of its admin functionality is insecure. These continuing problems are good reminder of the security risk surrounding plugins that extend WooCommerce functionality. Our main service can keep you alerted to publicly known vulnerabilities whether they are things we find because hackers are targeting them or otherwise disclosed. We also offer security reviews so that you can get the security of the plugins you use reviewed before hackers might come across vulnerabilities in them.
As part of making sure the customers of our service are getting the best information on vulnerabilities in WordPress plugins they may be using we monitor for hackers probing for usage of plugins on our website and then try to figure out what the hackers might be looking to exploit. A week ago that led to us running across two plugins with unfixed vulnerabilities. One of those plugins was closed on the WordPress Plugin Directory on May 9. In the past day we had saw a hacker probing for another plugin that was closed on the same day, Real Estate Manager – Property Listing and Agent Management.
When it comes the security of WordPress plugins the unfortunate reality is that the same problems occur over and over and yet it seems we are largely alone in being interested in trying to take actions to address those. One of the issues with that is that what we can do is limited, most of the changes require the people in charge of the Plugin Directory being willing to work with others to fix them, which isn’t happening as they seem to be detached from reality and are unwilling to even acknowledge the problems exist, much less discuss making changes to fix those problems.
When it comes to WordPress security plugins, not only do they often not provide much, if any, security against threats that really impact a website, but they can actually introduce security vulnerabilities of their own. That is the case with the plugin LionScripts: IP Blocker Lite, which is described as:
One of the things we do during security reviews of WordPress plugins is to check if .php files that are not intended to be directly accessed are protected against direct access of them. The lack of that usually makes no difference, but it is an easy way to avoid or limit vulnerabilities, like the local file inclusion (LFI) vulnerability our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities caught in the plugin Revamp CRM for WooCommerce.
This post provides the details of a vulnerability in the WordPress plugin Finale Lite -Sales Countdown Timer & Discount for WooCommerce not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.
This post provides the details of a vulnerability in the WordPress plugin Breadcrumbs by menu not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website was vulnerable due to it.
When it comes to getting data on vulnerabilities in WordPress plugins what we have noticed is that many sources are not using unique data, but instead reusing data from another source, often without letting people know what the true source is and never with a disclaimer about the quality issues that are inherent in that data source. That source is the WPScan Vulnerability Database, but recently we realized that they in fact are often just copying their data from yet another source. That source being the Common Vulnerabilities and Exposures (CVE) system. As we have more closely monitored that source recently we have noticed plenty of issues with it. This week we noticed something that wasn’t as much concern, but does present a worse picture of the WPScan Vulnerability Database.
While we already are far ahead of other companies in keeping up with vulnerabilities in WordPress plugins (amazingly that isn’t an exaggeration), in looking in to how we could get even better we noticed that in a recent instance were a vulnerability was exploited in a plugin, we probably could have warned our customers about the vulnerability even sooner if we had looked at the plugin when it was first closed on the Plugin Directory instead of when the vulnerability was fixed (though as far as we are aware the exploitation started after we had warned our customers of the fix). So we are now monitoring to see if any of the 1,000 most popular plugins are closed on the Plugin Directory and then seeing if it looks like that was due to a vulnerability.