One of the changelog entries for the latest version of the WordPress plugin WCFM Membership is:
Enhance – Many security check improved [Read more]
One of the big problems with keeping up with vulnerabilities in WordPress plugins these days, is that many of the reports of claimed reports of vulnerabilities recently are false reports. If you are getting your data from us, we weed out those reports, but with other data providers they are not only failing to do that, but they are incentivizing more of those reports.
What could explain, in part, the reason why they are including those, beyond inflating the number of vulnerabilities they claim to know about, is that they are not doing the due diligence they should and in one case, claim to be doing. When you don’t do that due diligence there are serious problems, including missing real vulnerabilities that you would have found when checking on a false report and telling people that a real vulnerability has been fixed, when it hasn’t. [Read more]
One of the ways we keep track of vulnerabilities in WordPress plugins that we should warn customers of our service about is monitoring requests sent to our own websites. This has led to us discovering many serious vulnerabilities in plugins. It also leads to us seeing a lot of odd actions. Say, hackers trying to exploit vulnerabilities that were fixed years ago, in WordPress plugins with tens of installs, and trying to exploit them in a way that will never succeed.
Seeming to fall in to that latter category, recently we have seen quite a few requests from what appears to be a hacker being sent where the HTTP referer is set to anonymousfox.co. The HTTP referer is intended to “[contain] an absolute or partial address of the page making the request“. Currently, that domain is not registered. What makes this seem so odd is that it would be very easy security products and services to block requests that have that as the HTTP referer. So why would the hacker announce themselves like that? [Read more]
On Monday we discussed yet another WordPress plugin offering to provide security to WordPress websites that is lacking basic security itself. That appears to be a pretty common issue based on how often we run across it. Later on Monday we ran across it again, as we happened to do a quick check of the plugin WP Encryption, which has 40,000+ installations according to wordpress.org, and found that it is lacking basic security.
With this plugin, there is odd issue where they are missing one security check in one place, but included it elsewhere, while missing another one there. So the developer appears to be aware of the security checks they should have, but doesn’t understand that they need to implement them all, all the time. [Read more]
One of the things we provide to customers of our service as part of our data set on WordPress plugin vulnerabilities is information on false reports of vulnerabilities. These days the source of many of those false reports is not who you would expect, as it is the two main other data providers. One of those, WPScan, claims that they are verifying these false reports and the other, PatchStack, is claiming to be providing patches for them. In both cases, what they claim to do flies in the face of them spreading obvious false reports. One of those reports is so bad it reads like it would be someone in the industry attempt at satirizing bad reports, not something being claimed to be real.
The report involves a plugin named Hotjar Connecticator, which was removed from the WordPress plugin directory at the time this report was released. The report was published directly with WPScan: [Read more]
A week ago we looked at a WordPress plugin promoting that it could improve the security of websites, while the plugin itself lacked basic security. It certainly isn’t alone in that. Take the web host A2’s A2 Optimized WP plugin, which is marketed as:
A2 Optimized is designed to make it quick and easy to speed up and secure your website by installing and configuring several well known, stable optimizations with a few quick clicks. [Read more]
Earlier this week we mentioned that we had warned our customers about easily exploitable vulnerabilities in a WordPress plugin with 400,000+ installs nearly a month before other data providers did. But in that situation they at least were warning before we saw hackers probing for usage of the plugin. With another plugin recently targeted by hackers the situation is worse.
On May 26 we saw what look to be a hacker probing for usage of the WordPress plugin Modern Events Calendar Lite on our website. While there were older vulnerabilities that had been in plugin that might explain a hacker’s interest in that plugin, we checked over the plugin to see if there might be a vulnerability in the current version of the plugin that they could be targeting. Here is what we said at the time about what we found: [Read more]
Yesterday Wordfence disclosed vulnerabilities that existed in the WordPress plugin ProfilePress (previously WP User Avatar) that they described as “critical and easily exploitable security issues” that:
made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication [Read more]
Yesterday we touched on one recent false report of a vulnerability the WordPress plugin WP Super Cache, but there were additional claimed vulnerabilities that were connected to that. With one of those, one of our competitors, Patchstack, claimed that not only there was vulnerability, but it had a medium severity:
One of the realities when it comes to security surrounding WordPress is that many companies market themselves as caring about security while not really caring about it. Sometimes they even join forces.
Yesterday we mentioned one security provider Patchstack, in the context of they and their Red Team not having a basic understanding of WordPress security. While looking more into Patchstack we found that last week they announced a partnership with 10Web. The claims made by 10Web in that announcement are in direct conflict with what we have seen from them in trying to work with them to fix a security vulnerability in one of their plugins, and what we have seen of Patchstack. We also found that at least one more of their plugins, with 300,000+ installs, also contains the same vulnerability we have tried to work with them to fix in one of their plugins. [Read more]
