Analysis

25 Feb 2022

Our Security Review of WordPress Plugin Found Freemius Library Still Contained Vulnerabilities 3 Years After Major Security Incident

Three years ago, the Freemius library, which is a monetization library widely used in WordPress plugins, fixed a serious vulnerability only after a hacker had identified it and started exploiting it. The situation surrounding that was quite a mess. It would be reasonable to think that the developer of the library and the developer of the plugins, especially security plugins, using the library would have made sure to get the security of the library reviewed after that to address any other security issues, but that turns out not to be the case.

What makes that more striking is that the developer claimed after that went down that: [Read more]

3 Jan 2022

Patchstack, cPanel, and Plesk Falsely Claimed Fixed Vulnerability in WordPress Plugin Hadn’t Been Fixed

Among the many problems caused by the WordPress security industry is plugin developers having to deal with false claims that plugins are vulnerable. An example of that involved not just a WordPress security player, but two major names in the web hosting industry that are relying on unreliable data for a security solution.

Last week a topic on the WordPress support forum started this way: [Read more]

23 Dec 2021

GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO

A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Sucuri. It seems like if a web host owns a major security provider they should have a good handle on security, not fail to handle the basics, as the breach showed.

For those knowledgeable about security, the apparent incongruity really wasn’t surprising, since Sucuri has always been run by people that don’t seem to have much grasp on security. That could be seen again in a post earlier this week about vulnerabilities recently fixed in a popular WordPress plugin, All in One SEO. [Read more]

22 Dec 2021

Our Firewall Plugin Provides What Malcare Claims Isn’t Available in a WordPress Security Plugin

Malcare is like a lot of providers in the WordPress security space, they make extraordinary claims that don’t really make a lot of sense if you have a basic grasp of security. Either the people behind those providers don’t understand what they are doing (which seems possible) or they are assuming that they can get away with misleading people (which they unfortunately can).

Our most recent instance of running across Malcare came from monitoring we do to keep track of vulnerabilities being exploited in WordPress plugins, which also flags other mentions of security issues. [Read more]

22 Dec 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Possibly Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

21 Dec 2021

Patchstack Continues to Overstate Size of Their Database Despite Dropping Claimed Size for 2021 by 35%

Last month we noted that a couple of WordPress news outlets had repeated what appear to be clearly false claims made by one of WordPress security provider Patchstack. It should go without saying that a security company that isn’t honest is a big deal. We have run across a further claim from Patchstack that disputes the previous claim they made, while still appearing to be false.

On November 5, the WP Tavern ran a story by Justin Tadlock that included this claim about the number of vulnerabilities in Patchstack’s database for this year: [Read more]

20 Dec 2021

Why Did the WPScan Vulnerability Database (and Automattic) Sit on Plugin Vulnerability for Over 3 Months?

The WPScan Vulnerability Database, which is owned by Automattic, markets itself with this claim on their homepage:

Be the first to know about vulnerabilities affecting your WordPress website [Read more]

14 Dec 2021

The Log4j Vulnerability and Failing to Protect WordPress Websites Against Relevant Threats

Over the last few days, there has been quite a bit of news coverage of a vulnerability in a Java library named Log4j. From monitoring we do to keep track of discussion of vulnerabilities in WordPress plugins for our service, we have noticed that there are questions among some about the impact this has on WordPress website and WordPress plugins.

WordPress and WordPress plugins are written in PHP, so a vulnerable Java library won’t impact them. That they are not impacted doesn’t mean that hackers won’t try to exploit the vulnerability on WordPress websites, since hacker will try to exploit vulnerabilities without knowing what software underlies a website. (That is one of the reasons that the many WordPress security plugins that try to hide usage of WordPress are not really providing security.) As an example of that, here are some of the attempts that were blocked by our new firewall on this website so far: [Read more]

10 Dec 2021

WordPress Forum Moderators Again Stop WP Community From Helping Each Other Deal With Hacked Sites

On Monday, a serious vulnerability was fixed in the WordPress plugin PublishPress Capabilities, which we detailed for customers on Tuesday (we also warned about less serious vulnerability the same day). On Wednesday, the vulnerability was widely exploited.

That is a situation that could have largely avoided by the WordPress plugin team, if they had automatically updated the plugin before the exploitation happened, instead of after (or by websites enabling WordPress to automatically update plugins). Instead, what WordPress did through the team running their support forum (which is led by one of two people that also control the plugin team), is shutdown and largely deleted the discussion where users were helping other to deal with the hacked websites. [Read more]

3 Dec 2021

Customers of WPScan and Patchstack Were Far From the First to Know About Exploited Plugin Vulnerability

Last week looked at an instance where the Wordfence Security plugin and Wordfence Premium service failed to provide protection against a WordPress plugin vulnerability until four days after it was publicly discussed that the vulnerability had already been exploited. That is despite the Wordfence Premium service being marketed with the claim that it provides “real-time protection” and competing firewalls plugins having delivered protection ahead of that. What we guessed might have explained why they belatedly responded in the situation draws in two other security companies in the WordPress space, not appearing to even try deliver on how they market their services.

With one of our competitors in providing data on WordPress plugin vulnerabilities, the WPScan Vulnerability Database (now owned by Automattic), they claim at the top of their homepage that with their service you will “[b]e the first to know about vulnerabilities affecting your WordPress website”: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Analysis