On Wednesday Sucuri disclosed a settings change vulnerability that leads to a persistent cross-site scripting (XSS) they had discovered in the WordPress plugin WP Live Chat Support after it was partially fixed earlier that day. That same day we warned our customers about that vulnerability. As we noted yesterday morning when disclosing another vulnerability in the plugin, the vulnerabilities they discovered were likely to be exploited soon. Yesterday we had what looked to be a hacker probing for that plugin on our website (and probing for several other plugins), so we expected that it wouldn’t be long until the public reports of it being exploited would crop up.
In trying to improve security one of the things that is a big impediment is the shear amount of misleading and false information out there, which gets in the way of addressing what actually needs to be addressed to fix the problems with security. A lot of that comes from security journalists repeating claims made by security companies that are not accurate, instead of the journalists realizing that they are indications that security companies don’t understand things they should. In Bleeping Computer’s coverage of a vulnerability in the plugin WP Live Chat Support (which is only one of multiple in it), discovered by Sucuri, they state this:
One of the problems we have found with selling a service that provides data on vulnerabilities on WordPress plugins is how many entities are out there that are putting out free, but highly inaccurate information on them, where they present things in a way that would indicate that they are professionals providing accurate information. If people believe they can get high quality data for free, it isn’t hard to believe they are going to be less inclined to pay for it, though for those that could afford and need accurate data, getting misled is major downside of this for them as well as us. We just ran across another source providing vulnerability data on WordPress plugins, Cybersecurity Help, and the entry that led to us running across them while looking for something else, shows what we have long seen.
While we provide our customers much better data on vulnerabilities in WordPress plugins then you will find elsewhere we are always looking to further improve what we are doing, since we know that is more that we can do. One thing we just started looking into was more closely monitoring data from the Common Vulnerabilities and Exposures (CVE) system. Though just days into that we ran into an entry that doesn’t point to great quality with the data.
One of the strange issues we have seen for years when it comes to the moderators of the WordPress Support Forum is them not understanding at all what disclosing a vulnerability is. That has even occurred with the person that is in charge of the team running the Plugin Directory, who certainly should have understood what is and isn’t disclosure of a vulnerability since they deal with vulnerabilities on a regular basis. That continues to be a problem. The latest instance involved a review of a plugin we mentioned yesterday in the context of people failing to keep their plugins up to date, which would have prevented them from being hacked. One of the reviews we cited part of, reads in full:
Last Tuesday we warned about a vulnerability likely to be exploited in the plugin Blog Designer, unlike another WordPress plugin vulnerability we ran across recently in a similar situation, this one was quickly fixed and the plugin reopened on the Plugin Directory the next day (the vulnerability had been independently discovered by WebARX).
Yesterday we wrote about the web security company Sucuri overstating the impact of a SQL injection vulnerability, which they had re-discovered a year and half after we had discussed it. That was one of two claimed SQL injection vulnerabilities they disclosed recently and the post on the other, claimed to be in the plugin Advance Contact Form 7 DB, manages to be worse.
When it comes to the very poor state of the security industry one thing that continually stands out to us is how often it is that security companies don’t make it that hard to realize they are not in fact doing the things they claim. Unfortunately security journalists and others continually ignore that, which is making the security of every website worse off with no positive benefit for anyone other than security companies cutting corners.