07 Jun

Poor Handling of Security in WordPress Plugin Directory Also Impacts ClassicPress Directory

On Friday we noted that we had started doing proactive monitoring of the plugin’s in the WordPress fork ClassicPress’ plugin directory for serious security issues and had also had run the ClassicPress plugins available in that through our Plugin Security Checker, which flags the possibility of additional less serious issues. We found a couple of plugins with minor security issues through that, including one with a vulnerability. That vulnerability was promptly fixed. Also, on Friday we ran the six plugins from the WordPress Plugin Directory also included in ClassicPress’ directory through the same tool. We found two of them had a really easy to spot minor vulnerability.

This is the kind of thing that the WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of. We have repeatedly offered to help them implement this type of thing, but, like other attempts help them to improve their poor handling of security, have shown no interest. [Read more]

04 Jun

Does CKEditor 4.16.1 Fix a Security Vulnerability?

On May 26, new versions of the popular Drupal software were released to fix a “moderately critical” cross-site scripting (XSS) vulnerability caused by an “error in parsing HTML” in the “third-party CKEditor library”. They further stated that “CKEditor 4.16.1 and later include the fix”.

The release notes for CKEditor 4.16.1, which was released on May 20, though make no mention of any security fix: [Read more]

25 May

WP User Avatar/ProfilePress and the Security Implications of Repurposing a WordPress Plugin

Last week one of the most popular WordPress plugins, WP User Avatar, was repurposed to become ProfilePress. Here is how Justin Tadlock at the WordPress Tavern, described the change in the plugin:

Instead of a simple, single-purpose custom avatar solution, it is a full-fledged user registration, profile, login, and membership management plugin. [Read more]

10 Mar

The Security Ninja WordPress Plugin Isn’t Going to Provide You Accurate Information on WordPress Plugin Vulnerabilities

While the security industry doesn’t currently have a well-functioning market, so you don’t have companies actually competing to provide better services (instead companies largely compete on who can tell the best lies, which produces the expected poor results), we actually continue to look at how we are doing versus other sources, so we can provide our customers the best services possible. We recently ran across the Security Ninja plugin promoting that it will check for WordPress plugin vulnerabilities and wanted to see how things stacked up.

According to them the get their data from National Vulnerability Database – NVD: [Read more]

09 Mar

Fortinet’s FortiGuard Labs Is Putting Out Reports That Falsely Claim Vulnerabilities in WordPress Plugins Have Been Fixed

Recently if you were relying on other sources for information on vulnerabilities in WordPress plugins you use you would have seen it claimed that Envira Gallery Lite recently contained a vulnerability that was fixed in version 1.7.7.

Here is that on the CVE : [Read more]

06 Mar

WordPress Plugin Directory Team Allowed Hackers Three Weeks to Exploit Vulnerability in Plugin with 60,000+ Installs

When it comes to security issues with WordPress plugins, the team running the WordPress Plugin Directory continues to make matters worse. One area we have seen that occurring for some time (and that we have been criticized for taking action to protect our customers from) is with the closure of popular plugins with security issues. That occurred again recently with Brizy, which has 60,000+ installs. The WPScan Vulnerability Database belated warned about a vulnerability in the plugin yesterday with this timeline (we had warned any of the customers of our service that were impacted last month):

February 10th, 2020 – Report received & WP Plugins Team notified.
February 12th, 2020 – WP Plugin Team Investigating
February 12th, 2020 – v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 – Seeing probes checking for the issue
March 4th, 2020 – Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 – Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 – Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable [Read more]

03 Mar

Bad Practices by Fortinet and the WPScan Vulnerability Database Lead to False Claim of Vulnerability Being Fixed in WordPress Plugin

Years ago we recommended data from the WPScan Vulnerability Database as good alternative to our service, since while their data was of lower quality, it was available for free. Now more and more access is being charged for, while the quality of the data has gotten worse since we used to recommend it. Here is a recent example of that, which also shows bad practices from Fortinet made it hard to figure when they screwed up in disclosing a vulnerability.

Here is the current version of the entry from WPScan of a vulnerability in Testimonials: [Read more]

30 Sep

WebARX’s Idea of Threat Intelligence Involves Copying From the Low Quality Data of the WPScan Vulnerability Database

The phrase “threat intelligence” seems like it is becoming popular among security companies that are more focused on BSing  than doing the work that threat intelligence would entail, with the results for their customers being poor (up to their customers getting unnecessarily hacked). We recently ran across a post from WebARX, which we will get to the details of in a second, but at the end of was this claim:

Threat intelligence and prevention is our main focus and thus our firewall engine is updated on a daily basis. [Read more]

30 Sep

The Temporary and Permanent Closures of Plugins on the WordPress Plugin Directory Don’t Mean What You Probably Think

Recently the team running the Theme Directory on the WordPress website was re-organized to create five sub-teams, by comparison the team running the Plugin Directory only has six people in total. The undersized plugin team seems very much intentional, as the stated reason for not allowing anyone else to join them team doesn’t add up and from our experience they are unable handle people having different opinions than them, much less work with others to fix problems they are causing. Of the six people, it isn’t even clear how much more than two of them even are involved. Whether it is two or six people handling so much, the results are not likely to be very good. That seems to be the case for recently changed wording shown on the pages for plugins that have been closed on the Plugin Directory.

In a support forum topic about a vulnerability being exploited in a plugin that was closed after we noticed a hacker probing for it this was written: [Read more]