See issues causing the plugin to get less than A+ grade
When Matt Mullenweg announced a takeover of WP Engine’s Advanced Custom Fields (ACF) on October 12, he cited the guidelines of the WordPress Plugin Directory for doing that:
On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines [Read more]
Since Matt Mullenweg announced a takeover of WP Engine’s Advanced Custom Fields (ACF) on the WordPress plugin directory on October 12, there have been questions if the features of the paid Pro version would be incorporated in the rebranded Secure Custom Fields. Doing that would be against the stated policy of the team running the WordPress plugin directory that was spelled out in a February 16, 2021 post titled “Reminder: Forked Premium Plugins Are Not Permitted.” Or it was against the policy. As of October 8, the beginning of the post started “tl;dr: We do not permit copies or forks of premium (pay for) plugins to be hosted on WordPress.org.”
As part of the mess going on with WordPress, plugin developers are choosing or being forced to provide updates for their plugins outside of the WordPress Plugin Directory. This creates a big security headache. To help address this, we are compiling information on impacted plugins. You can help by letting us know of additional plugins that are impacted, by either leaving a comment below or contacting us.
The information is also available in a machine-readable format to allow for software to automate checking for impacted plugins. We currently have it available in the JSON format. If there are other formats needed, we can format it for those as well. [Read more]
In the past couple of days there have been scary sounding claims from journalists related to a recently fixed reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced Custom Fields (ACF), which we had detailed on May 4 after a machine learning (AI) based system we have flagged the fix being made. The journalists claimed that an attacker was trying to exploit this. With headline claims including, “Hackers target WordPress plugin flaw after PoC exploit released” from the Bleeping Computer, as well as “Hackers exploit WordPress vulnerability within hours of PoC exploit release” from CSO Online, and “ACF Plugin’s Reflected XSS Vulnerability Attracts Exploit Attempts Within 24 Hours of Public Announcement” from the WP Tavern.
Those stories are somewhat inaccurate, as they are citing another company’s disclosure a day after us as being when the vulnerability was disclosed. But the far larger issue is that it seemed highly unlikely that an attacker was really trying to exploit this. If this was true, it would be rather news worthy since we have seen no evidence of any wide scale exploitation of reflected XSS vulnerabilities in WordPress plugins. It turns out the source for those stories, Akamai Security Intelligence Group (SIG) confused a script kiddie with an attacker, leading to those misleading stories. [Read more]
To better detect vulnerabilities being fixed in WordPress plugins in the WordPress Plugin Directory, we run all the changes being made to plugins used by our customers and plugins with at least a million installs through a machine learning (artificial intelligence) based system we created. Today, that flagged a change being made to a 2+ million install plugin Advanced Custom Fields as fixing a vulnerability. The changelog of the plugin suggested that might be correct, as the changelog associated with that change says that it “resolves an XSS vulnerability in ACF’s admin pages”, which was credited to Rafie Muhammad
You can’t rely on changelog to provide accurate information, as the developer of this plugin, WP Engine, didn’t disclose it was fixing a vulnerability in another of their plugins recently, and even if the changelog makes the claim, it doesn’t mean that a vulnerability really existed or it has been fixed. As we have found with other changes being flagged by this monitoring system, WordPress plugin developer sometimes fail to disclose they are fixing a vulnerability and also fail to actually fix it. [Read more]
The JVN has credited Keitaro Yamazaki of Ierae Security, Inc with discovery of a couple of vulnerabilities in the WordPress plugin Advanced Custom Fields that were described this way:
…
Last week we noted that the most popular WordPress security plugin, Jetpack, was insecurely using PHP’s extract() function. It turns out that it isn’t alone among the most popular WordPress plugins, as running the 100 most popular plugins in the WordPress Plugin Directory through our Plugin Security Checker identified four more plugins that are similarly insecure. Jetpack is the most popular with 5+ million installs according to WordPress’ stats, but the others are also have large install counts:
As we noted in the previous post, the documentation for the extract() function has this warning: [Read more]
The quality of vulnerability reports for WordPress plugins is often not great and a just released report on a vulnerability in the plugin Advanced Custom Fields is a great example. The only evidence presented in their report is what is claimed to be a proof of concept for the claimed vulnerability, though for a couple of reason it can’t be reused. The only textual information provided in it is about a different plugin entirely:
…
