WordPress Plugin Vulnerability News

30 Aug 2024

WordPress Plugin Security Review: Neznam Atproto Share

Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for Neznam Atproto Share. (We ended up not using the plugin for a reason unrelated to what we found during the review.)

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]

28 Aug 2024

WordPress Plugins Failing to Properly Uninstall Leads to Sensitive Information Being Left Behind

We recently completed a security review of a WordPress plugin we were planning to use on our website. We ended up not using the plugin because of an issue unrelated to the security review. While working on the security review, we ran into an issue that hasn’t been checked for as a part of our security reviews, but in hindsight, is something that should be checked on. It turns out that it is an issue that impacts many WordPress plugins, including a couple of plugins with 10+ million installs.

We will be releasing the results of the review once the developer has had a chance to respond to the issues we found. So without getting in to the specifics of the issue in the plugin, what we found was that the plugin stores sensitive information as WordPress options (settings) and doesn’t remove it when the plugin is uninstalled. The sensitive information are credentials for an API. Not only is that a security issue, it goes against the “basics” of how WordPress plugins are supposed to operate. The Uninstall Methods section of the Plugin Handbook states that “When your plugin is uninstalled, you’ll want to clear out any plugin options and/or settings specific to the plugin, and/or other database entities such as tables.” It also defines when plugin is uninstalled: “A plugin is considered uninstalled if a user has deactivated the plugin, and then clicks the delete link within the WordPress Admin.” [Read more]

27 Aug 2024

Wordfence Caused 18 Day Delay in Developer Being Notified of WordPress Plugin Vulnerability

One of the more troubling things going on with our competitors in providing information about vulnerabilities in WordPress plugins is how those security providers are trying to direct vulnerability reports about plugins away from developers to themselves. Among the problems with that, is it can lead to significant delays in developers getting informed of them. Here, for example, was the timeline that Wordfence disclosed for one recent instance of such redirection:

May 26, 2024 – We received the submission for the PHP Object Injection to Remote Code Execution vulnerability in GiveWP via the Wordfence Bug Bounty Program.
June 10, 2024 – We validated the report and confirmed the proof-of-concept exploit.
June 13, 2024 – We sent the full disclosure details to the vendor’s known email address. [Read more]

27 Aug 2024

Wordfence Security and Solid Security Developers Not Supporting Standard to Avoid Security Problem They Confronted

In a recent post on the WordPress security provider Wordfence’s blog, they were claiming their “mission is to Secure the Web.” If you understand their business model this rings hollows, as what they offer is built around trying to address the after affects of not securing the web. That very blog post also disputes that, as they confronted a well-known problem with better securing plugins and simply ignored the problem. They are not alone, as the situation detailed in the blog post also directly involves another security provider, StellarWP. StellarWP is the developer of Solid Security.

The blog post discusses a situation where Wordfence bought a vulnerability in another plugin from StellarWP, GiveWP. Twice in the post, they note that they failed to successfully communicate with StellarWP about that. First, they wrote this: [Read more]

26 Aug 2024

WordPress Documentation Doesn’t Warn About Security Risk of maybe_unserialize()

Last week we looked at an insecure WordPress function, maybe_unserialize() that was part of the cause of a “critical” vulnerability that was receiving press coverage. We noted a couple of troubling conversations on the Trac ticket system for WordPress related to that function and PHP object injection, which the insecure function permits. A commenter on the post noted another relevant Trac conversation that raises more concerns.

Someone labeled as a Core Committer of WordPress in part wrote this in 2017: [Read more]

23 Aug 2024

Unaddressed WordPress Security Issue Behind Recent “Critical” Vulnerability in 100,000+ Install Plugin

Earlier this week, the WordPress security provider Wordfence released a post about a claimed “critical” vulnerability found in a WordPress plugin with 100,000+ installs. In that post they made this claim:

Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. [Read more]

16 Aug 2024

WordPress Plugin Security Review: Open Graph

Before we start using a new WordPress plugin on our website, we do a security review of it, which led to us doing one for Open Graph.

If you want a security review of plugins you use, when you become a paying customer of our service, you can start suggesting and voting on plugins to get security reviews from us. For those already using the service that haven’t already suggested and voted for plugins to receive a review, you can start doing that here. You can use our tool for doing limited automated security checks of plugins to see if plugins you are using have possible issues that would make them good candidates to get a review. You can also order a review of a plugin separately from our main service. [Read more]

15 Aug 2024

The Plugin Security Scorecard Helps to Identify Insecure WordPress Security Plugins

While our new Plugin Security Scorecard provides security grades for all types of WordPress plugins, there is an extra focus on security plugins. As security plugins often are as much of a problem for security as a solution. Some of that focus comes in the form of extra data about problems in security plugins, which we manually create. We have generated that data for a lot of popular security plugins, but as other security plugins get checked we then check those to provide more accurate grades for them in the future. While looking at one such plugin, we saw the value that tool can provide even without having that data in place. It also shows why that additional focus can be important.

A plugin named Magic Login was checked with the tool yesterday. That is a plugin for implementing passwordless login. So a plugin where security is critical, as poorly implemented security could allow attackers to gain access to any WordPress account. That plugin has 1,000+ active installations. When it was graded yesterday it received a C+, not a great grade. Here are the issues the tool identified with it yesterday, that lead to that grade: [Read more]

14 Aug 2024

The Security Industry Isn’t Taking Responsibility for the Poor State of Industry That Led to CrowdStrike Outage

The massive outage caused by a faulty update by the equally massive security company Crowdstrike should be leading to a lot of soul searching in the security industry, but based on reporting from a major industry conference, it isn’t.

Crowdstrike has released what they call a preliminary Post Incident Review (PIR) on the incident. What stands out in that is how much of it is not focused on explaining what went wrong and how it will be fixed, but instead on things that are unrelated to the incident. For example, they have three paragraphs related to something that isn’t relevant to the incident and then in the next paragraph they admit that, “[t]he event of Friday, July 19, 2024 was not triggered by” that. [Read more]

13 Aug 2024

WordPress Coding Standards is Failing to Warn About Missing Sanitization and Requiring Unnecessary Sanitization

One of the things that our new Plugin Security Scorecard uses to grade the security of WordPress plugins is a subset of the checks from our Plugin Security Checker. The subset is intended to be things that are always a security issue, which should be addressed. While the full set of checks will flag things that could be secure, but often are not secure and need to be checked. That subset involves checking for things you would expect to be issues with certain types of plugins and from certain developers. But the actual results of plugins checked so far tell a different story.

The 5+ million install plugin Wordfence Security has been found to be using “[t]he function filter_input() is used without a filter, so it doesn’t do any filtering.” Similarly, the 100,000+ install Jetpack Protect plugin is found to be using “[t]he function filter_var() is used without a filter, so it doesn’t do any filtering.” That plugin is from Automattic, the company so closely associated with WordPress that it now is not uncommon for WordPress to be seen as an arm of the company. That isn’t the only plugin from Automattic with issues. With the 4+ million install Jetpack and 7+ million install WooCommerce have been found to have both the previously mentioned issues. The threat posed by that would depend on what is done after the filter-less filtering is done, but the filter-less filtering shouldn’t be happening even if there isn’t a larger issue. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.