Login

Tag Archives: Analysis

25 Apr 2022

Automattic’s WPScan Didn’t Do Basic Verification on Claimed Vulnerability in WordPress Plugin with 700,000+ Installs

Automattic owned security service WPScan is marketed with the claims that they provide “Enterprise-strength WordPress protection for everyone” and that they have a “dedicated team of WordPress security experts”. The reality is very different.

Among many issues we run across with their data is that they are frequently falsely claiming that plugins have had vulnerabilities, in situations where, say, the claimed vulnerability involves an action taken by an Administrator that the plugin is intended to allow and still allows after the supposed vulnerability has been fixed. [Read more]

20 Apr 2022

Developers of 1+ Million Install WordPress Security Plugin All In One WP Security & Firewall Not Disclosing Change in Ownership

The latest version of the WordPress security plugin All In One WP Security & Firewall fixed a minor security vulnerability. While there is an extensive changelog for that version, there doesn’t appear to be any mention of that. Take a look for yourself:

  • FEATURE: Reset all settings by clicking on the “Reset Settings” button on the Settings Page.
  • FEATURE: Verify the Google reCaptcha Site key before rendering and disable it if the Google reCaptcha site key is invalid.
  • FIX: PHP Fatal error: Cannot redeclare wp_install_maybe_enable_pretty_permalinks() in specific server.
  • FIX: throwing database error for creating debug log table in specific MySQL server.
  • FIX: Compatibility issue with WPML plugin for login and logout functionality.
  • FIX: Update email sent in English instead of setting language.
  • FIX: The Simple Math Captcha can’t be validated when a third-party plugin clears transients more frequently.
  • FIX: The login lockdown unlock request was not working in a few specific server environments.
  • FIX: The warning headers already sent was displayed in a few specific server environments.
  • FIX: Handle invalid tabs appropriately in setting pages.
  • TWEAK: Add review notice.
  • TWEAK: Improve functionality of fake google bot prevents to access the site.
  • TWEAK: Remove IP address retrieval setting and detect IP address automatically.
  • TWEAK: Verify Google reCaptcha site key before rendering the reCaptcha.
  • TWEAK: Remove force logout checking from REST API Call.
  • TWEAK: Made Admin Dashboard > WP Security > Settings tabs extensible.
  • TWEAK: Add G2 review message in the admin footer.
  • TWEAK: Format failed login date time according to WordPress general settings.
  • TWEAK: Remove unused codes from AIOWPSecurity_Config.
  • TWEAK: Add more specific instructions to change the Display name compared to the username in Admin Dashboard > WP Security > User Accounts > “Display Name” tab > “Modify Accounts With Identical Login Name & Display Name” section.
  • TWEAK: Remove Admin Dashboard > WP Security > Site Info tab (now redundant because of WP’s “Site Health” tool)
  • TWEAK: The “Allow Login Lockout Request” checkbox is ticked by default.
  • FIX: Fix login lockout issue with different timezone.

As at least one of the customers of our main service used that plugin, we took a close look at that as the discoverers provided almost no information to confirm there was a vulnerability and that it had been fixed. What we found is that the developer had fixed the vulnerability, but hadn’t properly secured the code, increasing the chances that there could be another instance of this problem in the future. That should have been addressed, particularly considering this is a security plugin. [Read more]

15 Apr 2022

CVE, WPScan, and Patchstack Claimed That Possible Security Issue Was Addressed Five Months Before It Was

One of the changelog entries for version 4.5.9 of the WordPress plugin Download Monitor, which was released last week, is:

Fixed: Security issues regarding file downloads and download titles [Read more]

31 Mar 2022

A Month Later, WordPress Still Hasn’t Taken Action for Websites With Backdoored Plugin They Distributed

On Februrary 28, we publicly warned that the WordPress plugin Mistape had what appeared to have a backdoor added in its latest release. Part of the code would contact the developer’s website and let them know if the plugin was installed. Another part would allow anyone to gain access to an account on the website with the Administrator role. The response from WordPress was to close the plugin in their plugin directory:

[Read more]

24 Mar 2022

WPScan Issues Two CVE IDs for Same Vulnerability While Failing to Warn for 7 Months That It Was Unfixed

On August 9, 2021, a security update was released for the WordPress plugin Favicon by RealFaviconGenerator, which has 200,000+ installs. The changelog for that was:

Fix XSS security issue, reported by WPSpan.com. See https://wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9?fbclid=IwAR2aRMXRjbGm9ppoI9tM-OHm26Q0ax4yt0MkcP5sp0-pz9D4eVIEHQwvG1Y [Read more]

23 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand The Implication of Being Able to Replace WordPress

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

One of the changelog entries for the latest version of the WordPress plugin WP Downgrade is: [Read more]

23 Mar 2022

Security Provider SecurityScorecard’s New WordPress Plugin Contains Security Vulnerability

One of the indications that something is very wrong with the security industry is how insecure the software and hardware of companies in it is. The latest example of that we ran across involves a company named SecurityScorecard, which we had not heard of before.

Yesterday they introduced a WordPress plugin SecurityScorecard Seal of Trust Badge, which appeared on our radar due to monitoring we do to keep track of security issues in WordPress plugins. That plugin is described as: [Read more]

21 Mar 2022

The “Security Experts” at Automattic’s WPScan Don’t Appear to Understand the Concept of a Backup Plugin

One of the biggest problems we run into while compiling data on vulnerabilities in WordPress plugins these days is the amount of false reports out there. While there has been a problem with that for years, what makes it more problematic now is that “security experts” are spreading these false claims instead of knocking them down. One frequent source of that is WPScan, which is owned by the company closely connected with WordPress, Automattic. That entity is marketed with the claim that they are a “Dedicated team of WordPress security experts”, which doesn’t match up with we keep seeing.

Recently we saw what looked to be a hacker probing for usage of the plugin All-in-One WP Migration. We couldn’t find a good explanation for why that would be, either a recently fixed vulnerability in the plugin or an unfixed vulnerability that currently exists in the plugin. But WPScan did recently put out a false report of a vulnerability in the plugin that it seems like a hacker might have thought was something they could exploit. [Read more]