When it comes to fixing the problems with the handling of the security of WordPress plugins we feel that fixing the moderation of the Support Forum is important since right now the moderation of that is used to cover problems up (it doesn’t seems like that is necessarily all that intentional, but it ends up having that effect anyway). One of the problems being covered up is that people in charge of the Plugin Directory really don’t seem up to the task and seem to be unable to work with others to try improve. As example of that take something from a few days ago that was posted on the Support Forum, but isn’t accessible, but we saw because of an email alert we have related to keeping track of discussions that might relate to plugin vulnerabilities.
When it comes to the mess that is the moderation of the WordPress Support Forum that has led to us full disclosing vulnerabilities until it is cleaned up, one of the most problematic moderators is someone named Jan Dembowski who we frequently run across getting things incredibly wrong (in some cases taking different sides on issue in different instances and each time managing to be on the wrong side). So it wasn’t surprising to see them getting something wrong when it comes to someone looking for help related to the vulnerability in Easy WP SMTP that has been widely exploited. The person looking for help wrote this:
Today we have had a lot of traffic coming to our website to our posts about the vulnerabilities fixed and unfixed in the plugin Easy WP SMTP. The likely explanation is what else we have been seeing today, as in terms of dealing with the cleanup of hacked WordPress websites over at our main business and other mentions of hacked websites, we are seeing indications that the option update vulnerability that was fixed with that and possibly the other recently fixed option update vulnerability impacting many plugins are being exploited widely to change the WordPress option “siteurl” on websites to cause requests to be made to “getmyfreetraffic.com” (based on past experience with this type of vulnerability that likely isn’t the only thing the hackers are doing with the vulnerabilities on those websites).
When it comes to information on security topics, whether security journalism or elsewhere, what we have found is that often incorrect information is provided that someone could have seen was incorrect if they could check the original source for it, but the original source isn’t listed. That would be the case with something from the WPScan Vulnerability Database’s entry created on Friday on the authenticated option update vulnerability in the Freemius library we discussed Tuesday:
Last week we had an odd interaction with the developer of the Freemius library where they wanted us take down a post about a fixed vulnerability in their library that seemed to us was already attempting to be exploited through WordPress plugins containing it. That seemed odd to us, since it was already being exploited, so pretty clearly we hadn’t disclosed the vulnerability as they were claiming was at issue with our having put out the post. We wondered if they missed the part about it looking like it was already being exploited (despite among other things it being the headline of our post) or did they assume we were wrong in thinking that? It turns out they already knew it was being attempted to be exploited before they even fixed it:
Yesterday we covered an authenticated option update vulnerability that looks like it was already being exploited in a third-party library, Freemius, which is included with many WordPress plugins. We had also reviewed the 1,000 most popular WordPress plugins to check if they used a vulnerable version of that library and notified the developers of impacted plugins. The response we have gotten from them and the developer of the library has been rather troubling.
One of the striking and telling aspects of the security community that seems to go a long way to explaining why security, whether of WordPress websites or more broadly, is in such bad shape is the lack of concern for providing accurate information. We often find that security companies are telling outright lies (or they are so unfamiliar with the basics of security that they have no idea that they are not telling the truth and shouldn’t be in the security industry). When it comes to security researchers, security professionals, or security journalists we have recently found over and over an apparent complete lack of concern that they might be providing information that isn’t accurate and lack of understanding why that others might take issue with that. That leads to a situation like if you tried to build the foundation of a home on quicksand, as can be seen by news coverage of security breach after security breach.
Coverage of WordPress plugin vulnerabilities is rather poor and coverage of an authenticated option update vulnerability in the plugin Simple Social Buttons disclosed on Monday was no exception. For example, you had a security journalist that frequently spreads false and misleading information, Catalin Cimpanu, make this statement in regards to WordPress: