Not Really a WordPress Plugin Vulnerability – Plugin Vulnerabilities

7 Aug 2024

Hacker Tried to Exploit Our Website Based on Fake Vulnerability Claim From Patchstack

One differentiation between our WordPress firewall plugin and other firewall plugins is that we try to provide users with a good understanding of the risk posed by attacks, instead of scaring people unnecessarily. That issue with lack of respect for users from other providers extends to other areas, particularly with false claims that other WordPress plugins contain vulnerabilities. Those two issues came together recently, when we were checking on a hacker’s attempt to exploit a vulnerability on our own website.

In August of last year, Patchstack claimed that there had been a vulnerability in the WordPress plugin Stock Ticker. They claimed it was “moderately dangerous” and “expected to become exploited:” [Read more]

6 Jun 2024

Another Fake Vulnerability in Wordfence Security Is Still Being Targeted 4 Years On

Yesterday, we looked at a hacker’s attempt to target an apparent vulnerability in the WordPress security plugin Wordfence Security that turned out to have never existed. We looked at that because our own firewall plugin had blocked attempts to exploit that. It isn’t the only fake vulnerability that hackers are trying to exploit in Wordfence Security years after the false claim was made.

On our own website, the firewall plugin blocked this request recently: [Read more]

5 Jun 2024

Hackers Still Targeting Fake Vulnerability in WordPress Plugin Wordfence Security 4 Years On

One way that WordPress security plugins and other security solutions make it appear that they are delivering more protection than they really are is by emphasizing how many attacks they have stopped, but don’t delineate between attacks that would have succeeded otherwise and those that wouldn’t have. That is a key detail, as almost all attacks will fail on their own. One of the reasons for that is that hackers keep trying to exploit vulnerabilities years after it would make any sense to do so. Another issue is that hackers try to exploit vulnerabilities that never really exist. An example of those two coming together that we spotted recently involved a WordPress security plugin known for unnecessarily scaring its users by emphasizing attacks that would have been unsuccessful anyway, Wordfence Security.

One of the users of our own firewall plugin reported that it had blocked what appeared to be an attempt to exploit a vulnerability in Wordfence Security. The request blocked was this: [Read more]

24 May 2024

CleanTalk Makes Up “Critical” Vulnerability in 100,000+ Install WordPress Plugin

WordPress security providers frequently falsely claim that popular WordPress plugins contain serious vulnerabilities that don’t really exist. One repeat source of those claims is CleanTalk. They recently claimed that the plugin Social Icons Widget & Block by WPZOOM, which has 100,000+ installs, contained “[a] critical security vulnerability” and the “vulnerability exposes websites to the risk of Stored Cross-Site Scripting (XSS) attacks, potentially leading to account takeover and compromising website integrity”. They also claimed that “if an attacker has previously hijacked an administrator or editor account, he can plant a backdoor to regain access back.” In reality, the “attacker” would already have to have complete control of the website and would already be allowed by WordPress to do what is supposed to be the vulnerability.

One critical element in determining the severity of a vulnerability, or if there is even a vulnerability, is what level of access is needed to exploit it. For example, if you need an account on the website, that would usually stop an attacker from exploiting the vulnerability. What is supposed to be the proof of concept for this lacks clear information to determine what level of access is needed, as it states: [Read more]

17 May 2024

Not Really a WordPress Plugin Vulnerability, Week of May 17

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Local File Inclusion in TheCartPress

Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin TheCartPress, where the attempt looks like this: [Read more]

10 May 2024

Not Really a WordPress Plugin Vulnerability, Week of May 10

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) in NextGen Gallery

Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin NextGen Gallery, where the attempt looks like this: [Read more]

2 May 2024

Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability

In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to do. Another provider, Patchstack had similarly false claimed that WooCommerce contained that vulnerability. Belatedly, WPScan, which, like WooCommerce, is owned by Automattic, made the same claim. They provided a proof of concept that was supposed to show the exploitation:

29 Apr 2024

Automattic’s WPScan Falsely Claims That WordPress Plugin Contained Serious Vulnerability

While reviewing a recent hacker attempt to try to exploit a vulnerability in a WordPress plugin, which was stopped by our own firewall plugin, we found that Automattic’s WPScan had falsely claimed that a WordPress plugin contained a serious vulnerability.

Here was the logging for when the attempt that was stopped: [Read more]

16 Feb 2024

Not Really a WordPress Plugin Vulnerability, Week of February 16

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Admin+ SQL Injection in POST SMTP

WPScan is claiming that the WordPress plugin POST SMTP had contained an admin+ SQL injection vulnerability. Presumably, they are claiming the attacker would need to be logged in as an Administrator, but that isn’t clear from their description that says “exploitable by high privilege users such as admin.” If it were only accessible by Administrators, that wouldn’t be a vulnerability unless there was also an issue with cross-site request forgery (CSRF). [Read more]

5 Feb 2024

Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML

As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a vulnerability. That same day, Wordfence claimed that the version had fixed what they labeled as an “Authenticated(Shop Manager+) Stored Cross-Site Scripting via variable pricing options” vulnerability and described this way:

The Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the variable pricing option title in all versions up to, and including, 3.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manger-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. [Read more]