Login

Vulnerability Insights

30 Oct 2023

Hacker Appears to Wrongly Target WordPress Plugin Based on Patchstack’s Inaccurate Info on Vulnerability

On Saturday, a hacker was widely probing for usage of the WordPress plugin Thumbnail Slider With Lightbox. That was somewhat odd, as the plugin only has 1,000+ installs according to WordPress and in our data set of claimed vulnerabilities in the plugin, there were only claims of really minor vulnerabilities. So what explained their interest?

One thing that is abundantly clear based on monitoring we do is that hackers are focusing a lot on trying to exploit vulnerabilities highlighted by data providers we compete with. There is a sometimes uncomfortable relationship between these providers and hackers. For example, one of them is willing to sell information to hackers about vulnerabilities before they notify developers. [Read more]

9 Oct 2023

Another Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed Exploitable Vulnerability

On Friday, we saw a hacker probing for usage of the WordPress plugin Dropshipping & Affiliation with Amazon across our websites and other websites. As part of keeping track of vulnerabilities in WordPress plugins for our service, we needed to try to figure out what explained that interest. What we found was alarming, though unsurprising. Three days before that the WordPress security provider Patchstack had vaguely claimed the latest version of the plugin contained a fairly serious vulnerability. And yet as of writing, the vulnerable plugin still is available in the WordPress Plugin Directory. So something clearly has gone wrong here. And not for the first time, even very recently.

As with another recent instance of an unfixed vulnerability likely being targeted, it wouldn’t be hard for WordPress to release a fix to stop exploitation. That is something we have offered for years to help them with. They haven’t taken up our offer of help or dealt with it on their own. [Read more]

9 Oct 2023

Full Path Disclosure Vulnerability in Simple File List

Hackers were recently probing for usage of the WordPress plugin Simple File List. While looking into a security change made in the latest version of the plugin, we found that as of the previous version, there was a full path disclosure vulnerability in the plugin. That type of vulnerability displays the full path of the file system of the website. That information can sometimes be combined with another vulnerability or it could disclose server usernames.

[Read more]

2 Oct 2023

Patchstack, Wordfence, and Developer Make Mess of Minor Vulnerability in 100,000+ Install WordPress Plugin

On Friday, the 100,000+ install WordPress plugin Optimize Database after Deleting Revisions was closed on the WordPress Plugin Directory without any explanation. The lack of explanation isn’t helpful for users of the plugin. A likely explanation of this is a mess related to a minor security vulnerability in the plugin. That vulnerability has been poorly handled by the Patchstack, which started things, as well as Wordfence and the developer of the plugin.

Users of the plugin have been left without clear information on what is going on with the vulnerability claim for months, which hopefully can clear up. [Read more]

18 Sep 2023

Hacker Likely Targeting Unfixed Vulnerability in WordPress Plugin Mislabeled as Much Less Serious Vulnerability by Patchstack and Wordfence

Over the weekend, we saw one of the usual hackers probing for usage of WordPress plugins, probing for usage a plugin named Export Import Menus. That plugin was closed on the WordPress Plugin Directory on September 12, with no explanation for the closure. Before it was closed, WordPress listed it as having 10,000+ active installs. Upon seeing that, what we needed to figure out is what a hacker might be interested in exploiting in that and is that an already known issue. These days, hackers often target vulnerabilities being disclosed by other plugin vulnerability data providers. There was a recently disclosed vulnerability in the plugin, but one that wouldn’t be of much interest to hackers. With further checking, we found the vulnerability is actually much more serious than was claimed by other providers and would likely be a target for hackers.

If the team running the WordPress Plugin Directory had known about the severity of the vulnerability, they could and should have pushed out a fix for the vulnerability before a hacker started targeting the plugin. They also could have forced out an update to address it. Fixing it enough to prevent exploitation would have been very easy. It only takes two lines, which we show below. With the inaccurate information provided by other providers, though they wouldn’t know that this was a serious issue. [Read more]

14 Sep 2023

Automattic Reintroduced Security Vulnerability Into WooCommerce, Their WPScan Missed That

Automattic is the company from the head of WordPress, Matt Mullenweg. Among its operations, it sells access to (often inaccurate) information on vulnerabilities in WordPress plugins through WPScan. Earlier this week WPScan added an entry for a claimed vulnerability in Automattic’s WooCommerce plugin, which has 5+ million installs according to WordPress’ data. They claimed the vulnerability had been fixed in version 7.0.1:

[Read more]

7 Sep 2023

WPMU DEV and Their Partner Patchstack Didn’t Handle Security Vulnerability in 400,000+ Install Plugin Well

WPMU DEV is a WordPress plugin developer that we have noted in the past hasn’t been handling security well despite being a security provider. They offer the Defender plugin, which WordPress says has 90,000+ installs. WPMU DEV claims that the pro version of that has 300,000+ installs. If you head to the homepage for the pro version right now, they claim to provide “reliable WordPress security”, which is powered by Patchstack:

[Read more]