WordPress Plugin Vulnerability News

30 Jul 2024

Hacker Targeting Vulnerability That Was in Shield Security WordPress Plugin

Last week, our own WordPress firewall plugin blocked an attempt to exploit a vulnerability in another security plugin, Shield Security. On the one hand, that should be shocking. A security plugin with a security vulnerability serious enough that a hacker would try to exploit it. On the other hand, the developers of most WordPress security plugins have little concern with security. The developer of this plugin, for example, didn’t care enough to make sure it’s firewall actually works at all. If the firewall worked well, the issue couldn’t even be exploited.

Here is what was logged when the hacking attempt was blocked: [Read more]

25 Jul 2024

Do Low OpenSSF Scorecard Scores for Libraries Shipped With WordPress Plugins Matter?

Yesterday, we discussed what we found when we tried to assess the value of OpenSSF Scorecard scores for WordPress plugins. OpenSSF Scorecard scores are supposed to “quickly assess open source projects for risky practices.” With WordPress plugins, we found that it was of limited value due to lack of scores for many plugins, lack of an easy ability to check if there is a score for a plugin, and questionable metrics. Another use for this for WordPress plugins would be looking at the scores for libraries included in WordPress plugins. While looking into gathering more information on libraries included in plugins for our Plugin Security Scorecard, we found that a major promoter of the OpenSSF Scorecard project is using multiple libraries in a popular plugin despite low scores. That raises the question of how much weight others should put in those scores, if a major proponent appears not to put much.

Google has been heavily involved in the OpenSSF Scorecard project since the beginning. The blog post announcing the project on the OpenSSF was written by a Google employee. Days later, Google’s Open Source Blog promoted the project. Google’s involvement has continued as new versions of the scorecard have been released. Google is also the developer of the Site Kit by Google plugin, which has 4+ million active installs according to wordpress.org data. That includes 7 third-party libraries referenced in a file generated by Composer in the plugin. [Read more]

24 Jul 2024

Popular WordPress Plugins Get Low OpenSSF Scorecard Security Scores, But Does it Matter?

We recently introduced a Plugin Security Scorecard tool to promote better handling of security by the developers of WordPress plugins. A direct inspiration for this is the Open Source Security Foundation’s (OpenSSF) Scorecard. That is marketed as allowing you to “quickly assess open source projects for risky practices” and is supposed to have information on “over 1 million of the most used OSS projects.” While the marketing makes their solution sound impressive, there is a decided lack of evidence put forward that it provides useful results. That seems important, considering that the broad scope of the project raises questions about how reliable the results can be across such divergent software. As we look to improve our own tool, we wanted to better understand what that delivers for WordPress plugins. The results were not great.

Limited Breadth of WordPress Plugins Covered

While it is claimed that over 1 million of the most used OSS projects are covered, the website doesn’t provide further details on what is covered. So there is no breakdown of how many WordPress plugins are covered and what those are. As best we can tell, the project checks software hosted on GitHub and GitLab, so WordPress plugins hosted on the WordPress Plugin Directory could only be checked if they are also hosted on one of those. [Read more]

22 Jul 2024

WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy

For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our testing over the years has found is that very popular plugins often fail to provide much protection, if any. That is corroborated by the many complaints by those using those plugins that they failed to provide the promoted protection and websites got hacked. At the same time, there are much less popular plugins that are offering significantly more protection. What seems to be an obvious part of the explanation for this mismatch is that in the WordPress plugin directory, WordPress is allowing developers to make extraordinary claims of efficacy without even putting forward any supporting evidence for the claims. In other fields, this type of thing wouldn’t be allowed, because of the negative impact it has.

Take a plugin named Bad Bot Blocker. Here is the first paragraph of the description on the plugin directory (with our own emphasis): [Read more]

12 Jul 2024

Insights That Australia’s Report on Chinese Hacking Campaign Has for Securing WordPress Websites

This week the Australian government released an advisory focused on a Chinese hacking campaign, which includes a couple of case studies looking in to successful hacks. The information in the advisory provides some valuable insights for those looking to better protect WordPress websites even if they are not facing threats from a nation state.

The hacking campaign involves a group the advisory states “conduct malicious cyber operations for the [People’s Republic of China] Ministry of State Security (MSS)”, which they refer to as “APT40” and those in the security industry refer to as “Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk.” (Some of those names by the security industry don’t make the industry seem all that credible.) While the average WordPress website is highly unlikely to be targeted by a group like this, elements of the hacks happen to average WordPress websites on a daily basis. One element highlighted a significant limitation of a security solution sometimes implemented on WordPress websites. [Read more]

10 Jul 2024

WordPress Plugin Developers Can Use security.txt Files to Aid in Getting Security Issues Reported to Them

In May, we found that numerous security providers had failed to catch that a vulnerability in the 100,000+ install WordPress plugin Genesis Block hadn’t been fully fixed. It was a good reminder of the importance of relying on vulnerability data that is actually vetted, which isn’t true for most sources. At the time, we had tried to contact the developer to let them know about the failure to fully fix this, but they didn’t provide a contact method to do that. We did find that the parent company of the developer, WP Engine, has a security page, but that doesn’t provide a contact method for non-customers to contact them. It directs customers to contact them through a general contact form. Both of those things are odd. It also mentioned a third-party vulnerability bug bounty program, which wouldn’t be relevant to address the issue we were trying to reach them about (and wouldn’t get us in touch with them).

The vulnerability has remained in the plugin since then. The plugin had remained in the WordPress Plugin Directory despite the plugin being publicly known to be vulnerable. That is, until two days ago, when it was closed on there: [Read more]

26 Jun 2024

Attacker Adding Malicious Code to Legitimate WordPress Plugins in Plugin Directory Quickly Caught

When it comes to vulnerabilities in WordPress plugins, they often go unnoticed for years, as was the case with a vulnerability we ran across in WooCommerce this week. But with another situation in the last week, where an attacker was able to update plugins in the WordPress Plugin Directory to add malicious code to them, the situation was caught and addressed in the most popular plugins in 36 hours. Based on what we can determine so far, it appears the situation is one to learn from, but not a sign of a significant problem.

The Plugins

Looking at the five plugins lessens the concern here. The install counts are not too high for most of them. The most popular plugin has 30,000+ active installs according to WordPress and the least popular has 60+: [Read more]

25 Jun 2024

WooCommerce is Exposing Private Product Information Through Store API

While looking into something related to the now discontinued WooCommerce Blocks plugin from Automattic, we noticed what appeared to be a vulnerability in that. That plugin has long been incorporated into the main WooCommerce plugin and we confirmed the vulnerability exists in the latest version of that plugin. The vulnerability exposes information that isn’t meant to be public about WooCommerce products through the WooCommerce Store API. There are possibly more issues related to that API, as we have only looked into this specific issue so far.

According to the Store API Guiding principles, private data shouldn’t be provided through the API (emphasis theirs): “Store data such as settings (for example, store currency) is permitted in responses, but private or sensitive data must be avoided.” Despite that statement, it doesn’t appear that some basic security reviewing has been done on the code. And it hasn’t been done in years, as the vulnerable code dates back four years. More thoroughly reviewing that needs to be done by Automattic. [Read more]

17 Jun 2024

Websites Used As Part of WordPress Hacking Campaign Running Behind Cloudflare

Last week, we looked at the unfixed vulnerability in a WordPress plugin being targeted by a hacking campaign. What was also captured by our firewall’s logging when exploit attempts were stopped was the malicious payload the attacker was attempting to load on to websites. The payload consisted of PHP code that would be placed in a new file with the .php extension on the website. The attacker could then request the URL for the file and the code in it would run. Something in the code stood out to us. The hacker is relying on two legitimate providers to support one element of the campaign. One is more notable than the other, as it is a security provider, Cloudflare. It isn’t the first time that has been true recently.

The Malicious Code

Here is the malicious code that was the payload of the exploit attempts, with some formatting done to make it more readable: [Read more]

14 Jun 2024

WordPress Isn’t Warning Users of Plugin With Unfixed Vulnerability That Is Being Exploited

This week, our Plugin Vulnerabilities Firewall plugin has blocked several attempts across our websites to exploit a vulnerability in a WordPress plugin. In investigating the attacks, we found that the vulnerability exists in the most recent version of the BuddyPress Cover plugin. That plugin was closed on the WordPress Plugin Directory on May 28:

[Read more]