A recent review for the WordPress plugin Protect uploads claimed the plugin was a virus and recently had malicious code added to it:
Do not download. The plugin has been changed not too long ago and it now infects your wordpress installation, and possible spreads itself to other sites if you are on shared hosting. [Read more]
Last week, we wrote about confusion over whether a claimed vulnerability in a WordPress plugin exists if it hasn’t been mentioned by a particular data source. That was in the context of a developer claiming there wasn’t a vulnerability in the plugin because it wasn’t mentioned by one of those, WPScan, despite being included in another, Patchstack. We also noted that Patchstack had not provided the information needed for anyone else to confirm their claim of a vulnerability.
Someone involved in yet another data source submitted a comment on that post, though it appears they didn’t pay attention to what the post said, to the detriment of those relying on it. Part of what they said in promoting their data source is they had this vulnerability in its data set. That isn’t surprising since on their website they admit to copying information from Patchstack. They didn’t address the inability to confirm the claimed vulnerability, which someone would want to before adding it to their data set. [Read more]
Recently, we have covered multiple instances where the WordPress security provider Wordfence was falsely claiming that WordPress plugins contain “critical” vulnerabilities, despite there being no vulnerability. That is despite them marketing one of their services, Wordfence Intelligence, partly based on providing high-quality data of that type:
Wordfence Intelligence includes a comprehensive and extremely current vulnerability database for WordPress that contains nearly 7,000 unique vulnerability records. This database is actively maintained by some of the top WordPress vulnerability researchers in the industry. [Read more]
When WordPress plugins are closed on the WordPress Plugin Directory, unfortunately, those using the plugin and others are not informed of what caused the closure. So while the people running that would know if the plugins contain vulnerabilities, everyone is else left unaware if the plugin is known to be secure. One of the things we do to keep track of vulnerabilities in WordPress plugins is to monitor if any of the most popular plugins have been closed on the WordPress Plugin Director and then check if there are vulnerabilities we should warn our customers about.
Last week the plugin WP Page Widget, which recently had 60,000+ installs, was closed and as you can see, there is no explanation for the closure: [Read more]
When it comes to vulnerabilities in WordPress plugins, one of the most serious types is an arbitrary file upload vulnerability. That type of vulnerability would allow anyone to upload any type of file to the website. Hackers usually exploit that to upload .php files, as they can run arbitrary code on the website through that. That would allow them to add malware or spam to the website, allow them to send spam email or attack other websites, as well as other assorted activity.
To help to better understand what is going wrong, that leads to such a vulnerability and how those issues can be avoided, let’s break down a vulnerability of that type we spotted last month being introduced in to a plugin that comes directly from WordPress. [Read more]
In August 2020, NinTechNet, the developers of the WordPress plugin NinjaFirewall, disclosed vulnerabilities that had been in the plugin CMP – Coming Soon & Maintenance Plugin. That plugin had 100,000+ installs at the time and is now up to 200,000+ installs. While NinTechNet stated the vulnerabilities were fixed at the time, while reviewing code in the plugin related to that recently, as at least one of our customers now uses the plugin, we found that there still is a security issue that hasn’t been resolved.
NinTechNet’s post described part of the problem with the plugin this way: [Read more]
Recently WordPress changed their policy on discussing vulnerabilities in plugins on their forum, that is leading to public discussions of the kind that we are frequently party to in private. Among the issues that we have run across are plugin developers claiming that there isn’t a vulnerability in their plugin, because a data provider isn’t mentioning it. You can see that with a public discussion involving a claim from one of those data providers, Patchstack, that there is a vulnerability in the current version of a plugin.
The response from the developer to that claim was this: [Read more]
Last week, the WordPress security provider Wordfence announced a significant price increase for their Wordfence Premium service. What they didn’t provide was any explanation of what was causing their cost for the service to increase, which they needed to pass on to customers. Instead, they said this:
It has been over 6 years since we last raised our prices. Since then our team has more than doubled in size and we have introduced significant improvements to the core Wordfence product, launched a range of free and paid products, and introduced new services that include 24 hour incident response. [Read more]
Less than a month ago, we noted that one provider of data on vulnerabilities in WordPress plugins, Automattic’s WPScan, was copying information from competing providers, including Wordfence, without credit. It turns out that Wordfence is doing the same with another competitor.
Yesterday a topic was started on the support forum for a plugin about a warning of a vulnerability from the Wordfence Security plugin. The users of Wordfence Security were not given helpful information on the claimed issue by Wordfence, as can be seen by this comment from one of them: [Read more]