WordPress Plugin Vulnerability News

12 Aug 2024

“Powerful Firewall Rules” Don’t Stop Exploitation of Reflected XSS Vulnerability in WordPress Security Plugin Shield Security

As part of refining our new Plugin Security Scorecard tool, we are very interested in making sure that the grading provided by that is useful. As we noted last month, an inspiration for our own tool, the OpenSSF Scorecard, doesn’t necessarily produce great results. To an extent, that a major company behind that doesn’t appear to care much about the scores. Currently, many security plugins get low grades with our tool, based on a combination of general issues and issues specific to security plugins. Seven of the graded security plugins currently have an F grade. Some because the plugins are themselves vulnerable. Others because of a litany of other issues with the plugins. One of those in the latter category is Shield Security. The F grade is based on the following issues:

Base64 obfuscated content detected.

The plugin’s changelog on the WordPress Plugin Directory is missing information on the latest version of the plugin, making it hard to know what changes have been made if any of those are security fixes.

The plugin doesn’t contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.

The plugin isn’t listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.

The plugin blocked less than half of the exploit attempts from the Plugin Vulnerabilities Firewall regression testing suite the last time the plugin was tested, so it missing a lot of the protection it could, and another plugin is, offering.

The plugin is being marketed with a strong claim (or claims) of efficacy without citing evidence that backs up the claim.

The plugin isn’t providing a warning that its information on vulnerabilities in WordPress plugins is unreliable because it comes from a source known not to properly vet the information. That lack of vetting can lead to situations where a “fixed” vulnerabilty is subsequently widely exploited because there wasn’t really a fix.

The plugin is spreading misleading information about brute force attacks against WordPress websites, which are not actually happening, and causing the WordPress community to not focus on real security threats.

That plugin getting a F grade seems reasonable considering how many security vulnerabilities are being found in the plugin. A couple of weeks ago, we talked about one of those after our own firewall plugin stopped an attempt to exploit one of those. What we didn’t focus on there is that Shield Security’s firewall wouldn’t stop the attack. It isn’t the only recent vulnerability where that is true. That brings us back to our scorecard. [Read more]

9 Aug 2024

Freemius Still Hasn’t Resolved All the Security Issues in Their SDK Library

In a blog post last year, Freemius bizarrely criticized us for not working with them to fix vulnerabilities in their library that ships with many WordPress plugins, while linking to a post from the year before where they admitted to having been the ones refusing to work with us. The post last year revolved around them belatedly addressing a security issue that we had tried to address with them the year before. They also criticized us for publicly disclosing vulnerabilities we had discovered during a security review of a plugin using it, instead of allowing competitors to disclose them instead. (In a previous incident, they accused us of full disclosure of a vulnerability, despite us only knowing about it because it had already been exploited and fixed.) In both posts they derisively referred to those in the security industry as “trolls”. That type of behavior shouldn’t be acceptable in the WordPress community.

Unsurprisingly, considering Freemius’ abusive attitude towards the security industry and their unwillingness to take responsibility for their continued poor handling with security, they still haven’t gotten all the security issues resolved related to what we brought up with them two years ago. [Read more]

8 Aug 2024

Developer of Limit Login Attempts Reloaded Admits Brute Force Attacks Are Not Happening

There is a widespread belief that there are brute force attacks against WordPress admin passwords going on. Just one plugin, Limit Login Attempts Reloaded, which is focused on preventing those attacks, has 2+ million installs. Despite the widespread belief, those are not happening. That is something that security providers falsely claiming they are happening sometimes admit to. We recently found that to be the case with the developers of Limit Login Attempts Reloaded.

In the first sentence of the description of their plugin on the WordPress Plugin Directory, they link the words “brute force attacks” to a post on their website. The first sentence of that post accurately describes what a brute force attack is: “Brute force attacks are relentless and automated attempts to crack passwords or encryption keys by systematically trying all possible combinations until the correct one is found.” Later in the post, they admit what is really happening with malicious login attempts, dictionary attacks: “The most popular method is a dictionary attack, which involves using precompiled dictionaries of commonly used passwords. These dictionaries may include words from various languages, character substitutions, and common phrases.” [Read more]

7 Aug 2024

Hacker Tried to Exploit Our Website Based on Fake Vulnerability Claim From Patchstack

One differentiation between our WordPress firewall plugin and other firewall plugins is that we try to provide users with a good understanding of the risk posed by attacks, instead of scaring people unnecessarily. That issue with lack of respect for users from other providers extends to other areas, particularly with false claims that other WordPress plugins contain vulnerabilities. Those two issues came together recently, when we were checking on a hacker’s attempt to exploit a vulnerability on our own website.

In August of last year, Patchstack claimed that there had been a vulnerability in the WordPress plugin Stock Ticker. They claimed it was “moderately dangerous” and “expected to become exploited:” [Read more]

6 Aug 2024

WordPress Generated Nonces Don’t Generally Provide CSRF Protection for Those Not Logged In

We were recently looking into a somewhat convoluted situation with a vulnerability in a WordPress plugin. Part of investigating that involved checking on something involving usage of a nonce for those not logged in to WordPress. Nonces are used to protect against cross-site request forgery (CSRF) vulnerabilities. It turns out that if you do a web search looking to see if those can be used those for those not logged in, you can get some pretty poor information. Part of the problem is that there are people handing out security advice that don’t know what they are talking about. That includes the moderators of WordPress Support Forum. Here was the long winded non-answer one of them gave to someone asking a specific question about nonces with those not-logged in to WordPress:

There are few absolutes in security. A trade off between difficulty and benefits gained. It’s “better” to use a nonce to help ensure the data is coming from your own form. In some cases the security gained would be so minimal that it wouldn’t matter much. If you make the effort anyway, there’s no harm in it. Rather than following “rules” you read here and there, it’s better to actually understand the security implications and consequences and act accordingly to a specific situation. Granted, easier said than done. Security is an ever evolving topic. Lacking such understanding, better safe than sorry is a reasonable approach. [Read more]

Plugin Vulnerabilities Posted in Analysis, Security Tips For WordPress Plugin Developers, WordPress Plugin Vulnerability News Leave a comment

6 Aug 2024

CleanTalk Isn’t Doing Real Security Reviews of WordPress Plugins and Their Plugin Contains Vulnerabilities

Last week we mentioned in a post that security reviews of WordPress plugins would provide a good idea of how secure they are, but those reviews are rarely done. Just prior to writing that post, we ran across a security provider claiming to being do those reviews and a lot of them. That provider being CleanTalk. In checking in to if they were really doing reviews, we found their own plugin, Anti-Spam by CleanTalk, which they just claimed to do a review of and found no issues, contains easy to spot vulnerabilities because of a lack of basic security. That would have been caught by a real review. We found the same missing check in other plugins they claimed to have reviewed.

We have previously noted on our blog multiple instances where CleanTalk either was very confused about security or just being dishonest. In February, we noted that they had greatly overstated the risk of a vulnerability, seemingly, because they lack a basic understanding of securing web apps. In May, we noted they had made up a “critical” vulnerability in a plugin with 100,000+ installs. That same month, we noted they had claimed that a vulnerability in another 100,000+ install plugin had been fixed, when it hadn’t. [Read more]

5 Aug 2024

WordPress Plugin Developer Security Advisory: Bill Minozzi

One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that. A smaller number of plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.

In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website. [Read more]

2 Aug 2024

WordPress is Telling People to Report Security Issues Through a Bug Bounty Program That Doesn’t Accept Many of Them

In August of last year, we noted a significant problem with reporting security issues with a WordPress plugin that comes directly from WordPress, Health Check & Troubleshooting, which has 300,000+ installs. That problem being that they didn’t provide a method to report most security issues to them privately. Because of that, we reported the issues we had noticed had just been introduced in to the plugin through a public issue on the GitHub project for the plugin. It took until July for there to be a response. That response reinforced the problem. Here is the response we got:

Thank you for the report, as you note these are technically negated by various other mechanics, so this will be treated as a public hardening task. [Read more]

1 Aug 2024

Security Reviews and Software Bill of Materials (SBOMs) Should be Standard for WordPress Plugins

Recently, we have taken a renewed look at how to assess the security of WordPress plugins, as part of building up the capabilities of our new Plugin Security Scorecard tool. Right now, it is hard to easily assess the security of plugins and what has filled the gap is often useless advice that suggests checking on things that are easy to check on, but don’t have any correlation with the security of plugins. Our new tool tries to surface useful information to help assess if plugins are secure enough for usage on websites with varying degrees of security risk. Among other things, that includes warning about plugins still in the WordPress Plugin Directory despite being known to be vulnerable, warning about developers that have a track record of not handling security well, plugins that are not being supported anymore, and security code that is being misused. But there is more information that could be provided by developers, which we are hoping to help incentivize more common usage of by incorporating checking for their inclusion when calculating security grades.

Already, as part of the grading system, we check for inclusion of a security.txt file (or several equivalents) that provides information on how to contact the developers about security issues. Today we started checking for an additional piece of information in that file and next month we will add a check for another. [Read more]

31 Jul 2024

11 Month Wait for Security Fix for WordPress Plugin Highlights Value of Checking if Developers Are Supporting Plugins

In August of last year, we found that an update to a plugin coming directly from WordPress, Health Check & Troubleshooting, had introduced a couple of minor security issues. We reported those to the developers through the plugin’s GitHub project at the time. They finally responded and addressed those last week. That isn’t a good response time, but isn’t all that surprising considering the lack of much support for the plugin, despite having 300,000+ active installs. That lack of support ties into something we are now doing with our new Plugin Security Scorecard.

With our Plugin Security Scorecard, we are trying to provide an at a glance way to provide a reasonable idea of the handling of security with a WordPress plugin. As we noted last week, an inspiration for that is the OpenSSF Scorecard, which tries to do a similar thing across a much wider spectrum of software. What that other scorecard seems to lack is evidence that the components of the score (and therefore the overall score) are actually useful in assessing the security of software. With our own solution, we are interested in making sure its grading is based on useful information. That brings us back to Health Check & Troubleshooting. [Read more]