Analysis

16 Aug 2021

Why doesn’t WP Tavern want their readers to have accurate information on the state of WordPress security?

One of the biggest impediments to improving the security of WordPress is the sheer amount of misleading and outright false information that exists out there. Take the most popular security specific WordPress plugin, Wordfence Security, which, as we noted on Friday, is promoted by its developer and by others with the unqualified claim that it stops websites from being hacked. Not only could it not provide that level of protection, but testing confirms that it actually fails to provide the kind of protection it should be able to and that other security plugins do provide. If people knew the truth, they could be taking advantage of the additional security that other plugins provide. On the developer’s part, they clearly know what they are saying isn’t a true, and that statement isn’t an aberration, as we have repeatedly seen them telling lies that involve overstated claims about the capabilities of their plugin and services.

You would reasonably expect that journalists covering security would be warning the public about a company like that, but what we have found instead that those journalists often act more as a PR arm of security companies (often dishonest ones) than as journalists. In some cases that is rather literal situation, as there are multiple security journalism outlets that are publicly acknowledged to be owned by security companies (and another that is no longer acknowledged to be owned by a security company). [Read more]

13 Aug 2021

Wordfence Security Isn’t Powerful Enough to “Prevent Any Form of Attack”

Wordfence Security is the most popular WordPress security only plugin (Jetpack is more popular, though only partially promoted as a security plugin) with 4+ million installs. What likely explains at least some of its popularity is that it is marketed by the company behind the plugin and others as being far more capable than it possibly could be. Testing shows that only is it not as capable as claimed, but that it isn’t even delivering results anywhere as good as it could or should be able to provide.

On the plugin’s page on the WordPress Plugin Directory, part of the answer for the first FAQ question makes this claim: [Read more]

12 Aug 2021

Five WordPress Security Plugins Provide Some Protection Against Unfixed Reflected XSS Vulnerability in Plugin with 200,000+ Installs

Update: We originally incorrectly listed the plugin All In One WP Security & Firewall as not providing any protection, when in fact it did provide protection that was easily bypassed. We apologize for the mistake.

In the mess that is the current handling of security of WordPress plugins, many people rely and trust companies to provide them accurate information on vulnerabilities in plugins that they use, while the companies appear to have no concern if the information they provide is accurate. The ultimate source of their data is often a company named WPScan, which is well documented to not be concerned about the quality of their data. [Read more]

12 Aug 2021

Why NinjaFirewall’s PHP Object Injection Protection Failed to Prevent Vulnerability in WordPress Plugin From Being Exploited

As part of working on our WordPress firewall plugin, we are doing tests to make sure our plugin’s protection works and to see what protection, if any, other existing plugins provide. While being able to show that our plugin is already providing protection that no other plugin provides is good for marketing the plugin, it isn’t the best result for trying to improve the plugin as we can’t learn too much from other plugins if they don’t provide protection.

In the latest test we did, we were surprised to find that no other plugin plugin provided protection, as it looked like the plugin NinjaFirewall should. The vulnerability being tested is a PHP object injection vulnerability we had discovered, and the default Advanced Policies settings for the NinjaFirewall made it look like it should provide protection against that type of vulnerability and this particular instance of it: [Read more]

10 Aug 2021

NinjaFirewall and Wordfence Security’s XSS Protection Still Have Publicly Known Bypass Five Years Later

As part of the development of our upcoming firewall plugin for WordPress, we are doing new tests of security plugins to see if they can prevent exploitation of vulnerabilities in WordPress plugins to help us improve on existing firewall plugins’ protections. We are also going back over the results of the similar tests we did back in 2016.

In one of those tests, involving a persistent cross-site scripting (XSS) vulnerability, we found that only two of the plugins we tested, NinjaFirewall and Wordfence Security, provided any protection. What we also found was that it was incredibly easy to bypass the protection they provided. All it took to bypass them was adding a single backslash in the right location and their protection was defeated. That wasn’t a great indication of the quality of those plugins. [Read more]

6 Aug 2021

Wordfence Keeps Using Misleading Severity Scores While Admitting That They Are Misleading

To help our customers better understand the risk posed by a vulnerability in a WordPress plugin, we provide a rating of how likely the vulnerability is to be exploited in our data set. As we noted again just yesterday, an alternative metric, severity scores are not really a meaningful metric when looking at vulnerabilities in WordPress plugins. That hasn’t stopped other security providers from promoting those, despite them being misleading. In most cases we can’t say for sure that they are aware of that misleading element and that they are contributing to the problematic use of them, but in the case of Wordfence we can say they know that, as here were there comments in a blog post in regards to the most popular severity scoring system, CVSS, last week:

As such, and despite the CVSS score of this vulnerability only being a 6.5, it could be used to take over a site either via obtaining database credentials or by executing JavaScript in an administrator’s browser session. [Read more]

5 Aug 2021

Patchstack’s Severity Scores Continue To Be Highly Misleading

To help our customers better understand the risk posed by a vulnerability in a WordPress plugin, we provide a rating of how likely the vulnerability to be exploited. Other security providers provide what turns out to be a much less useful metric, a severity score.

One company that continues to provide an example of the decided lack of value of those scores is Patchstack. A month we noted an instance where they had given a “vulnerability” a severity score of 7.4 out of 10. We put vulnerability in quotes there, since there wasn’t even really a vulnerability. Even if you wanted to argue there was vulnerability, it was a vulnerability that has to be exploited by an attacker logged in to WordPress as an Administrator. Since they are Administrator, they could already do what was supposed to be the vulnerability, making this not a vulnerability, but even if you want to argue otherwise, how could it be that severe? [Read more]

4 Aug 2021

There Are So Many Issues With Jetpack’s Post on Claim of a “Very Severe” Vulnerability in a WordPress Plugin

Often blog posts from companies offering security services read like an inadvertent warning that these companies are dishonest and lack a basic grasp of security, if you read by someone also in the field. That is the case with a recent post on the blog of Automattic’s Jetpack service, which both overstates the impact of a vulnerability, while also indicating that the author and the rest of their security team don’t have a basic grasp of the security issue involved here. Making that not all too surprising is that the author of the post is a former employee of an incredibly shady security company, Sucuri.

“Very Severe”

One of the problems we have long seen with security companies discussing vulnerabilities in WordPress plugins is that they overstate the impact of them. Jetpack’s post is titled “Severe Vulnerability Patched In WooCommerce Currency Switcher” and in the first sentence they claim that the vulnerability is a “very severe local file inclusion vulnerability”. Would you guess based on that, that the vulnerability is highly unlikely to be exploited and doesn’t have any impact on its own? We would guess not. [Read more]

3 Aug 2021

Wordfence Advisory Fails to Warn That WordPress Plugin with 100,000+ Installs Is Currently Very Insecure

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may use, we monitor for what look to be hackers probing for usage of plugins to make sure we can quickly warn our customers of any unfixed vulnerabilities that hackers are likely targeting. On Sunday we had what looked to be a hacker probing for usage of the WordPress plugin WordPress Download Manager, which has 100,000+ active installation according to wordpress.org, on our website with this request:

/wp-content/plugins/download-manager/readme.txt [Read more]

26 Jul 2021

WPScan Misses Real Security Issue in WordPress Plugin with 600,000+ Installs Despite Claiming to Have Verified Related “Vulnerability”

On July 18 a new version of the WordPress plugin Maintenance was released, which appeared to have a security improvement in it based on one of the changelog entries:

security fixes [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Analysis