01 Mar

Our Plugin Security Checker Now Checks For Usage of Versions of Freemius with the Authenticated Option Update Vulnerability

To make it easy for those without a lot of technical skills to check if plugins are impacted by the authenticated option update that exist in older versions of the Freemius library we have updated our Plugin Security Checker so that when plugins that include a vulnerable version of that are checked there will be a warning about that.

While that would usually mean the vulnerability is exploitable through the plugin, we oddly found that in one of the 1,000 most popular plugins, Ultimate Social Media PLUS (Social Share Icons & Social Share Buttons), the library is included, but its usage has been disabled for 8 months. For some reason even with a serious vulnerability being found in the library, they haven’t removed the library from their plugin, but they did promptly update to the fixed version of Freemius. [Read more]

17 Dec

Yes, We Support ClassicPress (And You Can Help It While Also Protecting Against Plugin Vulnerabilities)

A month and half ago we were contacted by one of our customers to ask if we supported the fork of WordPress, ClassicPress. Since then we have been meaning to put out a post to let people know we do, but it turns out waiting allows to pair with another announcement.

When it comes to the security of WordPress plugins unfortunately the folks on the WordPress side of things seem at best highly misguided in what they are doing. For example, they have this bizarre idea that you should never warn people about unfixed vulnerabilities in plugins. That seems like odd idea if they are already publicly disclosed somewhere that hackers would already be looking (which is often the case), but you have to wonder if the team wants people to be hacked when they refuse to warn people after vulnerabilities are being exploited (and refuse to even discuss the alternative of fixing them). That is something that not only happens, but the head of team running the plugin directory explicitly stated that they think not warning people as they are being hacked is a good idea. Just to add to mess, the guy at the top of WordPress, Matt Mullenweg has claimed that unfixed vulnerabilities are only a “hypothetical issue not seen in practice“. [Read more]

25 Sep

Our New Disclosure Policy in Response to the Continued Inappropriate Behavior of the WordPress Support Forum Moderators

When it comes to handling disclosure of vulnerabilities we think the best approach isn’t either of the extremes, responsible disclosure or full disclosure. You might actually call responsible disclosure, irresponsible disclosure, since it could involve never disclosing a vulnerability if it isn’t fixed, which is a bad idea when it shouldn’t be assumed that others can’t independently find the same vulnerability someone else found and they might be someone that is going to exploit it. Beyond the obvious issues that can come with full disclosure, there are other real world problems that it can cause. Our approach up until now has been what we refer to as reasonable disclosure, which in our case tries to balance the need to notify our customers, who are paying to be notified about vulnerabilities in WordPress plugins, of vulnerabilities in a timely manner as well getting vulnerabilities fixed before disclosure happens as much as possible.

Here is what our policy has been up until now: [Read more]

09 Jan

Our Plugin Security Checker is Now Accessible Through a WordPress Plugin

When we introduced our Plugin Security Checker, which does limited automated security checks of WordPress plugins, in late October, one of the future enhancements we mentioned we were looking into was making the results available through our service’s companion plugin. After thinking it over we decided it would be better to create a separate plugin for that, so that way websites that use that the existing plugin that don’t have an interest in that functionally are not increasing the amount of code on their website and alongside that, the increased security risked that creates (that is something that makers of a lot security plugins look to have not considered in throwing in lots of different functionality in a single plugin, maybe not surprisingly there have been plenty of security vulnerabilities found in security plugins).

As of this morning our new Plugin Security Checker plugin has been included in the Plugin Directory, and can be directly installed in WordPress or downloaded from the plugin Directory. [Read more]

08 Dec

We Now Offer Our Plugin Vulnerabilities Service on a Pro Bono Basis for Human Rights Groups

Through our main business we have offered pro bono service to human rights groups for years and we had recently been thinking about offering this service in that fashion as well. Then we noticed that Human Rights Day would be coming up (it happens on Sunday), which seemed like a great reason to go ahead and launch that.

With our service the administrators of WordPress websites get notified if plugins being used on the website contain publicly disclosed vulnerabilities. While we try to work with developer to get any of those vulnerabilities that haven’t been fixed, promptly fixed (and can sometimes accomplish that very quickly), they don’t always get fixed in a timely manner or in some cases, ever. In those cases we are there to help the administrators make the best decision on how to handle the situation. In a lot of cases we can provide a workaround until the issue is fixed in a new version, though in some cases moving off the plugin is probably the best option. The service also provides access to our data set of vulnerabilities so that administrators can better access the security of plugin they or might want to use and it can also be used to determine if a vulnerability in a plugin was likely part of how a website got hacked. [Read more]

24 Jul

WordPress Plugin for Use in Testing for PHP Object Injection

Last month we introduced something new to our service, we are proactively monitoring changes to the WordPress plugins to see if they include some easy to spot vulnerabilities in them. We currently are restricting that to the most serious vulnerabilities due to amount of time it requires to do even that (if we had more customers we could justify expanding that further). One of the types of vulnerabilities we are monitoring for are PHP object injection vulnerabilities, as that is something that we have seen hackers exploiting on a fairly wide scale in the past. That has lead to us having to review more possible instances of that type of vulnerability and that in turn lead to us coming up with a simpler method to test if there is in fact an exploitable vulnerability. Seeing as this type of vulnerability looks to be under-noticed and our solution is so simple, we decide to share it.

The first part is a plugin, which can be downloaded here and then installed in the root plugin directory, /wp-content/plugins/. [Read more]

21 Jun

Free Security Reviews for Adopted WordPress Plugins

Through our main business we recently introduced a service to take over and maintain WordPress plugins that have been abandoned by their previous developers. As part of getting the plugin up to snuff when taking it over, we will do a security review of the plugin like the ones we already do as part of this service.

While putting together that service we noticed that there an unofficial system for plugin developers to identify if they are looking for someone to take over the plugin by tagging the plugin adopt-me. That seems like a good way to make sure that plugins can continue to be maintained, so to help that out, we are now offering to do free security reviews of any plugins that have been tagged and then adopted. [Read more]

08 Jun

Taking a Stand Against the Continued Poor Handling of Security With WordPress

While WordPress handles security fairly well, there are plenty of problems that we have seen in the work have done that ultimately lead to this service and then in doing the work for to this service, including ones that are leading to websites being hacked that shouldn’t be and that make our work to actually get the security of plugins improved unnecessarily harder. Some of these problems are getting worse, so we have decided to stop doing work that people on the WordPress side should have been doing themselves all along until they present concretes plans to fix two of the many issues. In the short term this will leave those not using our service with worse security, but if WordPress chooses to start moving in the right direction then security can be improved from where it is now. We would then love to work with them to improve other issues, as there are lots of areas were small changes would likely lead to significant improvement.

Poor Handling of Security

One of the most glaring recent examples of the poor handling of security is a refusal so far to fix a vulnerability in WordPress that was disclosed to the security team in July 2016 and publicly disclosed a month ago. The explanation for not having fixed it in all that time is underwhelming: [Read more]