The changelog for the latest version of the WordPress plugin Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue is “Fixed the vulnerability issues for WPML.”
…
The WordPress security provider Wordfence makes a big deal about doing responsible disclosure of vulnerabilities, despite not doing that. Responsible disclosure involves notifying the developer first and giving them a chance to address the vulnerability, before notifying anyone else. In Wordfence’s disclosure policy, they claim to do responsible disclosure and then go on to say they will sell information about the vulnerabilities to those using their Wordfence Premium service in the form of firewall rules before even notifying the developer. That policy also obliquely acknowledges that those firewall rules could be misused:
Where possible, we develop a firewall rule to protect our customers. This rule is obfuscated to prevent reverse engineering. [Read more]
As mentioned in another post about another vulnerability, Wordfence has been selling access to anyone willing to pay for their Wordfence Premium service, say hackers, info on exploiting two undisclosed unfixed vulnerabilities in the plugin Directorist for a month. The second vulnerability is disclosed with this rule:
…
The About page for the CVE program starts with a claim that the program creates one CVE Record for each vulnerability:
The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. [Read more]
To better detect vulnerabilities being fixed in WordPress plugins in the WordPress Plugin Directory, we run all the changes being made to plugins used by our customers and plugins with at least a million installs through a machine learning (artificial intelligence) based system we created. Today, that flagged a change being made to a 2+ million install plugin Advanced Custom Fields as fixing a vulnerability. The changelog of the plugin suggested that might be correct, as the changelog associated with that change says that it “resolves an XSS vulnerability in ACF’s admin pages”, which was credited to Rafie Muhammad
You can’t rely on changelog to provide accurate information, as the developer of this plugin, WP Engine, didn’t disclose it was fixing a vulnerability in another of their plugins recently, and even if the changelog makes the claim, it doesn’t mean that a vulnerability really existed or it has been fixed. As we have found with other changes being flagged by this monitoring system, WordPress plugin developer sometimes fail to disclose they are fixing a vulnerability and also fail to actually fix it. [Read more]
Most days we see what appears to be a hacker probing for the usage of a single WordPress plugin with a recently disclosed vulnerability through a single request for a file on each of our websites. Yesterday, we saw them doubling up both on the files they were requesting and the IP addresses being used. The plugin they were looking for was Easy Digital Downloads. It wasn’t hard to guess why, as Patchstack had disclosed how to exploit a serious vulnerability that had been fixed the day before. While reviewing this, we found that there are still security issues that run counter to a central claim made by Patchstack.
Before we get to that, it’s important to note who the developer of the plugin is. That is Awesome Motive. That would be the Awesome Motive that has a chief security officer (CSO) who is also the “security reviewer” on the team running the WordPress Plugin Directory. That would be the Awesome Motive that took two months to fix a publicly known vulnerability in a plugin with 3+ millions installs. They frequently acquire existing WordPress plugins, which is how they came to be the developer of this plugin. The vulnerability that was fixed was introduced six months after they had acquired the plugin. [Read more]
One of the changelog entries for the latest version of the WordPress plugin Health Check & Troubleshooting is:
…
One of the changelog entries for the latest version of the WordPress plugin Paytm Payment Gateway is “Updated Security”.
…
JVN recently said that a cross-site request forgery (CSRF) vulnerability had been fixed in the WordPress plugin LIQUID SPEECH BALLOON. They provided no details on that, other than that it was fixed in version 1.2. The changelog for that provides more information, as it says that it “Fixed security issue related to input in setting forms.”
…
It would be easy to make significant improvements to the security of WordPress plugins available through the WordPress Plugin Directory, but year after year that hasn’t happened. A lot of the blame for that can be placed on major players in the WordPress space that are funding the current team running the plugin directory, who have blocked improvements from happening.
Two of the four members of the plugin directory team work directly for the head of WordPress, Matt Mullenweg. He also has a for-profit company, Automattic, which creates many conflicts of interest. One serious conflict of interest is that his company sells access to data on vulnerabilities in plugins through WPScan, while the plugin directory team has refused to provide that information. What makes the conflicts of interest stand out more is that the team obfuscates the connection between their members and Auttomatic. [Read more]