Login

Not Really a WordPress Plugin Vulnerability

5 Feb 2024

WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability

It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, describing the claimed vulnerability:

An unknown person discovered and reported this Sensitive Data Exposure vulnerability in WordPress CloudFlare Plugin. This vulnerability has been fixed in version 4.12.3. [Read more]

26 Jan 2024

Not Really a WordPress Plugin Vulnerability, Week of January 26

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Reflected Cross-Site Scripting (XSS) in Clearfy

WPScan claimed reflected cross-site scripting (XSS) vulnerability had existed in the WordPress plugin Clearfy. The proof of concept provided, though, doesn’t work. Looking at at the version this was supposed to be fixed in, there was a security improvement made, but it doesn’t look the code was vulnerable based on the proof of concept not working. [Read more]

26 Jan 2024

Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files

Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:”

This critical vulnerability has me worried. It keeps coming up in my Wordfence scans. I’m thinking about deactivating and deleting this plugin for now (at least until it’s patched). [Read more]

19 Jan 2024

Not Really a WordPress Plugin Vulnerability, Week of January 19

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Cross-Site Scripting (XSS) in Alert Before Your Post

Our firewall plugin has been blocking attempts trying to exploit what at least one hacker believes to be a vulnerability in the plugin Alert Before Your Post, where the attempt looks like this: [Read more]

16 Jan 2024

Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)

Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities have actually been fixed or if they even existed, before widely making claims about supposed vulnerabilities. We will get in to more detail about that in a few moments, but first we will take a look at a couple of other recent examples, which show that wasn’t a one-off fluke.

We should note at the outset that the CEO of Wordfence, Mark Maunder, recently claimed their “data is impeccable” when we brought up the well-known problems with it. [Read more]

21 Dec 2023

Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist

One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Part of what that is showing is that hackers are trying to exploit falsely claim vulnerabilities that are really old. One of those involved a plugin named YouSayToo auto-publishing plugin, which was closed on the WordPress Plugin Directory so long ago the date it was closed isn’t even listed. The plugin was last updated 12 years ago. Here was the exploit attempt sent to a customer’s website:

/wp-content/plugins/yousaytoo-auto-publishing-plugin/yousaytoo.php?submit=</script><script>alert(document.domain)</script> [Read more]

6 Dec 2023

Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability

Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where unsurprisingly, there wasn’t helpful information being provided. Things have been slightly better on the WordPress support forum for the plugin, but still you had alarmist information. One topic is titled, “Security breach and vulnerability in all versions.” Wordfence in turn, is citing Patchstack when making this claim. The reality is that there isn’t a vulnerability, something the WordPress security team told the original source of the claim, but which Wordfence and Patchstack have ignored.

While Wordfence and Patchstack are both claiming that this is an issue with the Gutenberg plugin, that isn’t what the original source they are citing says. Their post is titled
“CVE-2022-33994:- Stored XSS in WordPress” and they start it this way: [Read more]

1 Dec 2023

Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability

Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins:

There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” he said. “Vulnerabilities that involve a Cross-Site Request Forgery are an example of this. The incentives we are seeing out there encourage researchers to generate a a high volume of low risk vulnerabilities to get rewarded. These high numbers are then used to market security products.” [Read more]

27 Nov 2023

Patchstack’s Plugin Vulnerability Data Continues to Not Be Impeccable Either

There are many sources for data on WordPress plugin vulnerabilities. Or there appears to be. In reality, most sources are simply copying their data from the others. The results of that are often quite poor, which the providers simply deny. Recently the CEO of Wordfence, Mark Maunder, made this very strong claim about the quality of their (and to a lesser degree, competitor’s) data on vulnerabilities in WordPress plugins:

Our data is impeccable. Our competitors do a pretty darn good job too. [Read more]

27 Oct 2023

Not Really a WordPress Plugin Vulnerability, Week of October 27

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports, we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular, are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to the level of getting their own post, we now place them in a weekly post when we come across them.

Missing Authorization Checks on Backup Exports in Everest Backup

Wordfence claimed the plugin Everest Backup had contained what they labeled as “Missing Authorization Checks on Backup Exports”, which isn’t even a type of vulnerability. But the description they provided sounds like a description of a vulnerability: [Read more]