2 Dec 2021

Hackers Won’t be Blocked From Trying to Upload This to Your WordPress Website by Other Firewall Plugins

Two months ago we did testing that showed that WordPress security plugins didn’t protect against exploitation of vulnerabilities that involved sending user input containing PHP code as raw POST data that would be read in PHP from php://input:. At the time, we improved our new Plugin Vulnerabilities Firewall to address that type of exploit. Based on the results of our automated testing, none of the other firewall plugins for WordPress have followed our lead and added protection against this in the subsequent two months.

Today our firewall stopped multiple attempts to exploit this type of issue on our website. These attempts would have failed anyway, since the attempts involved trying to exploit software not on our website, but the attempts and the firewall’s logging gave us a chance to see what the hacker was trying to do. [Read more]

29 Nov 2021

WP Tavern’s Justin Tadlock Won’t Address Lack of Due Diligence With False Claims from Patchstack

Earlier this year we ran across claims from the web security company Patchstack that a bug bounty program they were running, which they were misleadingly market as a “red team”, was finding an extraordinary amount of vulnerabilities in WordPress plugins.

In May, for example, they claimed that there were 292 vulnerabilities found and that one of the submitter found 149 vulnerabilities and another found 101 vulnerabilities. Both the total and individual numbers sounded hard to believe based on our experience, both collecting up data on vulnerabilities in WordPress plugins and discovering vulnerabilities. [Read more]

10 Nov 2021

Wordfence Premium Fails to Protect Against Another “Critical” Privilege Escalation Vulnerability

On Monday we noted finding that the Wordfence Security plugin and the Wordfence Premium service failed to provide protection against a “critical” privilege escalation vulnerability, running contrary to Wordfence’s marketing.

In response to that, someone on Reddit said this of Wordfence: [Read more]

8 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against “Critical” Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

3 Nov 2021

Patchstack’s Vulnerability Database Isn’t “Hand curated, verified and enriched WordPress vulnerability information”

When it comes to data on vulnerabilities in WordPress plugins, what we have seen is that data sources other than us are often not doing basic verification. At its most serious, that leaves people thinking that they are using a secured version of a plugin, while still being vulnerable. If those data sources and others that reuse their data were upfront about that, it would be problematic, but they don’t even do that.

Take the Patchstack Vulnerability Database, which has replaced the WPScan Vulnerability Database in a lot of places once the latter source started limiting free access. It is marketed with the claim that it is: [Read more]

1 Nov 2021

Wordfence Premium’s Protection Far From Real-Time With Exploited Vulnerability in Closed Plugin

The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time protection”:

If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium. [Read more]

22 Oct 2021

Wordfence Falsely Claimed Their Wordfence Premium Service Provided Rule to Protect Against Vulnerability

Two days ago, the WordPress security company Wordfence put out a blog post about a PHP object injection vulnerability they had found in the plugin Sassy Social Share. (We had detailed that vulnerability for our customers the same day it was fixed in September.) The post heavily markets their Wordfence Premium service, as in three separate instances they claim that they first provided a rule to protect against this vulnerability to customers of their paid Wordfence Premium service, which wasn’t available to those only using their plugin:

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021. [Read more]

13 Oct 2021

WordPress Plugin Review Team’s Review Fails to Catch CSRF Vulnerability Allowing Modification of .htaccess File

If you believe the top person behind WordPress, Matt Mullenweg, new plugins being added to the WordPress Plugin Directory are not being reviewed beforehand:

“Why couldn’t it be more like the plugin directory?” asked Mullenweg. “That has all the same potential issues and has been working pretty well. I’d like it to work just like the plugin directory, with direct access for authors, and most reviews being post-review vs. pre-review.” [Read more]

12 Oct 2021

WPScan Claims a Vulnerability Was Fixed in Version of WordPress Plugin That Doesn’t Exist

One of the many problems that plagues security is the lack of concern with the truth from so many people involved in it. You would think that wouldn’t be the case with trust being an important part of security, but that is the case, hence security being in such bad shape. That is common when it comes to information on vulnerabilities in WordPress plugins, where we find that critical information, including if vulnerabilities have actually been fixed, is often inaccurate. While there understandable mistakes, that clearly isn’t an explanation for most it. Take something we noticed with one company that clearly isn’t interested in accuracy, WPScan.

Yesterday we discussed looking in to why a hacker might be targeting a commercial WordPress plugin Cooked Pro. While looking in to that, we came across a WPScan entry that claimed a vulnerability had been fixed in the related free Cooked plugin in version 1.7.5.6: [Read more]