On Friday we noted that we had started doing proactive monitoring of the plugin’s in the WordPress fork ClassicPress’ plugin directory for serious security issues and had also had run the ClassicPress plugins available in that through our Plugin Security Checker, which flags the possibility of additional less serious issues. We found a couple of plugins with minor security issues through that, including one with a vulnerability. That vulnerability was promptly fixed. Also, on Friday we ran the six plugins from the WordPress Plugin Directory also included in ClassicPress’ directory through the same tool. We found two of them had a really easy to spot minor vulnerability.
This is the kind of thing that the WordPress Plugin Directory Team could easily have systems in place to catch and automatically warn developers of. We have repeatedly offered to help them implement this type of thing, but, like other attempts help them to improve their poor handling of security, have shown no interest. [Read more]
On May 26, new versions of the popular Drupal software were released to fix a “moderately critical” cross-site scripting (XSS) vulnerability caused by an “error in parsing HTML” in the “third-party CKEditor library”. They further stated that “CKEditor 4.16.1 and later include the fix”.
Instead of a simple, single-purpose custom avatar solution, it is a full-fledged user registration, profile, login, and membership management plugin. [Read more]
While the security industry doesn’t currently have a well-functioning market, so you don’t have companies actually competing to provide better services (instead companies largely compete on who can tell the best lies, which produces the expected poor results), we actually continue to look at how we are doing versus other sources, so we can provide our customers the best services possible. We recently ran across the Security Ninja plugin promoting that it will check for WordPress plugin vulnerabilities and wanted to see how things stacked up.
According to them the get their data from National Vulnerability Database – NVD: [Read more]
When it comes to security issues with WordPress plugins, the team running the WordPress Plugin Directory continues to make matters worse. One area we have seen that occurring for some time (and that we have been criticized for taking action to protect our customers from) is with the closure of popular plugins with security issues. That occurred again recently with Brizy, which has 60,000+ installs. The WPScan Vulnerability Database belated warned about a vulnerability in the plugin yesterday with this timeline (we had warned any of the customers of our service that were impacted last month):
February 10th, 2020 – Report received & WP Plugins Team notified.
February 12th, 2020 – WP Plugin Team Investigating
February 12th, 2020 – v1.0.114 released in SVN, fixing the issue. However, the plugin is still closed
March 3rd, 2020 – Seeing probes checking for the issue
March 4th, 2020 – Contacted WP Plugin to have an ETA about re-opening the plugin
March 5th, 2020 – Plugin can not be re-opened yet as there are other issues (including legal ones), as well as incomplete fixes
March 5th, 2020 – Issue disclosed, we recommend to remove the plugin until a new version is available and downloadable [Read more]
Years ago we recommended data from the WPScan Vulnerability Database as good alternative to our service, since while their data was of lower quality, it was available for free. Now more and more access is being charged for, while the quality of the data has gotten worse since we used to recommend it. Here is a recent example of that, which also shows bad practices from Fortinet made it hard to figure when they screwed up in disclosing a vulnerability.
The phrase “threat intelligence” seems like it is becoming popular among security companies that are more focused on BSing than doing the work that threat intelligence would entail, with the results for their customers being poor (up to their customers getting unnecessarily hacked). We recently ran across a post from WebARX, which we will get to the details of in a second, but at the end of was this claim:
Threat intelligence and prevention is our main focus and thus our firewall engine is updated on a daily basis. [Read more]
Recently the team running the Theme Directory on the WordPress website was re-organized to create five sub-teams, by comparison the team running the Plugin Directory only has six people in total. The undersized plugin team seems very much intentional, as the stated reason for not allowing anyone else to join them team doesn’t add up and from our experience they are unable handle people having different opinions than them, much less work with others to fix problems they are causing. Of the six people, it isn’t even clear how much more than two of them even are involved. Whether it is two or six people handling so much, the results are not likely to be very good. That seems to be the case for recently changed wording shown on the pages for plugins that have been closed on the Plugin Directory.
In a support forum topic about a vulnerability being exploited in a plugin that was closed after we noticed a hacker probing for it this was written: [Read more]