Login

Tag Archives: Analysis

25 Nov 2022

WordPress Plugins Failing to Include Needed Capabilities Check for AJAX Accessible Functionality

When reviewing security changes being made in WordPress plugins used by our customers, it isn’t uncommon for us to find that developers have failed to fully fix the vulnerabilities, or as was the case recently with a plugin with 300,000+ installs, the have failed to fix the vulnerability at all. What we also are often seeing is that plugins are missing a basic security check when having plugin functionality accessible through WordPress’ AJAX system.

One recent example of that we ran across involved a plugin named Log HTTP Request. It registers two functions accessible through WordPress AJAX functionality to anyone logged in to WordPress: [Read more]

22 Nov 2022

WordPress Security Plugins Contained Fairly Serious Vulnerability Because of Unresolved WordPress Security Issue

Something that should get a lot more attention and raise a lot more questions is why the security industry’s own software and hardware is itself so insecure. That insecurity is a frequent issue with WordPress security plugins. The latest instance of that involves two WordPress security plugins AntiHacker and StopBadBots, which contained a vulnerability that allowed anyone logged in to WordPress to install any plugins in the WordPress Plugin Directory.

Those plugins come from the same developer and three additional plugins were affected: CarDealer, WP Memory, and wptools. Together, the plugins have at least 22,000+ installs. [Read more]

18 Nov 2022

Patchstack Provided Inaccurate Information on Vulnerability Claimed to Be Exploited in WordPress Plugin

Recently it was claimed that the WordPress plugin RD Station had led to a website’s database being replaced:

when are you going to fix the problem, a couple of weeks ago a site was attacked by this vulnerability, the entire database was replaced, we contacted you and this was the response [Read more]

17 Nov 2022

CVE’s CNA Program Is Causing Them to Fail in Their Stated Mission

The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier for vulnerabilities:

The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. [Read more]

16 Nov 2022

CISA Provides No Explanation for Sponsoring Program That Directs Vulnerability Report Info to Hackers

CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling non-public information on vulnerabilities to any hackers willing to pay them.

The footer of the website for the CVE program claims that it is sponsored by the US Deparment of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA): [Read more]

15 Nov 2022

VulDB’s Alarmism on Display With False Claim of “Critical” Vulnerability in WordPress Plugin Activity Log

Earlier today someone posted on the support forum for the 200,000+ active install WordPress plugin Activity Log with the subject “Critical Exploit: Disable plugin Immediately!” and wrote this:

As reposted by CISA and NIST, NVD this plugin has a critical exploit, CVE-2022-3941, and we are removing from all of our servers pending revision and reporting from the makers. [Read more]

14 Nov 2022

Search Engine Journal’s Roger Montti Spreads Patchstack’s Misinformation About the Security of WooCommerce Plugin

A frequent source of news media misinformation on vulnerabilities in WordPress plugins is someone named Roger Montti, who writes for the Search Engine Journal. Why someone that describes themselves as a “search marketer” writing for a news outlet unrelated to security is writing about those we don’t know. Whatever the reason, his stories on the subject get included in Google News and spread on social media.

Mr. Montti’s WordPress plugin vulnerability stories are often wrong in multiple different ways and in ways that indicate he is not familiar with the subject matter (not surprising considering his non-security background). We tried in the past to gently suggest to him that information in stories was not entirely accurate, but he never corrected those stories and continued to make the same mistakes. He hasn’t gotten anyone else with knowledge of security to provide input for his stories either. The Search Engine Journal also doesn’t seem interested in addressing this, as we never got a response when we contacted them about a story from him that was outright false. [Read more]

11 Nov 2022

100,000+ Install WordPress Plugin Custom Permalinks Has Been Phoning Home to Developer for Over Two Years

The 100,000+ active install WordPress plugin Custom Permalinks has been phoning home to the developer with information about the websites it is installed on for over two years, despite it being in violation of the rules for the WordPress Plugin Directory to do that without consent.

Two days ago Jaime Martinez posted about that on the support forum for the plugin after finding that it was going on, while debugging an issue with a client’s website. So far the developer hasn’t responded to that and the plugin remains in the plugin directory. [Read more]

10 Nov 2022

WooCommerce Fraud Prevention Plugin’s Functionality Can Be Disabled by Anyone Logged in to WordPress

With the security of WordPress plugins, those that extend the functionality of the ecommerce plugin WooCommerce would seem like they would be more secure than the average plugin, seeing as security should be important for software on websites handling money and customer data. But that continues to not be the case. Earlier this week the WP Tavern, which is barely disclosed to be owned by the head of the owner of WooCommerce, Matt Mullenweg, covered problems WooCommerce based websites are having with fraudulent charges through the Stripe payment service from those testing stole credit card numbers. The story mentioned one partial solution for that issue:

Many other developers in the conversation have been hit with similar attacks, some with honeypots in place that didn’t prevent anything. One recommended using the WooCommerce Fraud Prevention plugin. It allows store owners to block orders from specific IP addresses, emails, address, state, and zip codes. This might help once attacks have started but doesn’t fully prevent them. [Read more]

10 Nov 2022

Cyber Insurance Isn’t the Solution for the Insecurity of WordPress Websites

To get to a better place when it comes to the security of WordPress websites, as well as security more broadly, a critical element would be good security journalism. That isn’t happening. Take this clickbaity headline from The Register two days ago, “Swiss Re wants government bail out as cybercrime insurance costs spike”. Yet the beginning of the story disagreed with the headline:

As insurance companies struggle to stay afloat amid rising cyber claims, Swiss Re has recommended a public-private partnership insurance scheme with one option being a government-backed fund to help fill the coverage gap. [Read more]