Analysis

21 Oct 2022

Shield Security’s ShieldPRO Also Falsely Claimed that WordPress Plugin Contains Vulnerability

So far this week we have covered both iThemes Security Pro and Wordfence Security falsely claiming that WordPress plugins contained vulnerabilities, which we became aware of through our monitoring of the WordPress Support Forum for discussions of new vulnerabilities in plugins. These seems to be a fairly widespread problem with WordPress security providers, as today yet another instance of it came up. This time with ShieldPRO from Shield Security.

A topic was created yesterday claiming that a WordPress plugin named Admin Menu Editor contained a vulnerability: [Read more]

21 Oct 2022

Wordfence Claimed That 300,000+ WordPress Sites Contained a “Critical” Security Vulnerability, It Wasn’t True

On Monday, a report was posted on Packet Storm claiming that the latest version of the WordPress plugin Photo Gallery by 10Web, 1.8.0, had a reflected cross-site scripting (XSS) vulnerability. That type of vulnerability isn’t a major issue and isn’t something that would be expected to be exploited on a wide-scale, if exploited at all. The plugin does have 300,000+ active installations according to WordPress, so there still could be a lot of websites that would be impacted. That would be if there was a vulnerability, but there wasn’t.

It shouldn’t be hard to tell this is a false report. [Read more]

20 Oct 2022

WordFence Security Fails to Provide the Protection Keeping WordPress Plugins Updated Would

One of the impediments to better security for WordPress websites (and security in general) is that people are not taking basic security measures and instead relying on security solutions that fail to provide the protection that those basic security measures would. Recently someone posted on the support forum for the plugin PDF.js Viewer, mentioning they were getting this message, which is from the Wordfence Security plugin, on their website:

Plugin Name: PDFjs Viewer
Current Plugin Version: 1.3
Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “PDFjs Viewer” until a patched version is available. Get more information. [Read more]

19 Oct 2022

iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins

A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of that. Take this recent forum topic for the plugin Advanced Contact Form 7 DB (Advanced CF7 DB) , which included a message coming from the paid iThemes Security Pro service claiming that there was a “known” vulnerability in the latest version of the plugin, version 1.9.1. Here is the message:

SEPT 30: Known issues in Advanced Contact form 7 DB v1.9.1 [Read more]

18 Oct 2022

Sectigo’s CodeGuard is Sharing the Files From Their Customers’ WordPress Websites With Third-Parties

Making backups of WordPress websites is an important security measure, but it can also create security risks of its own. That too often comes in the form of security vulnerabilities that are in backup plugins, where even plugins with millions of installs can be failing to implement basic security. It turns out that can also come from a third-party you are paying to handle doing backups for you.

Recently there was news coverage of a tool that claimed to detect “malicious plugins” and a research paper about it, titled, “Mistrust Plugins You Must: A Large-Scale Study Of Malicious Plugins In WordPress Marketplaces“. The research is odd, since it is mixing together plugins that apparently contained malicious code when they were added to websites and malicious code that was added to plugins after a hacker had gotten access to websites. The latter is an odd thing to focus on, since once hackers have gained access to websites, they often plant malicious code in various places on the website. That really has nothing to do with WordPress plugins, since the same code could in other files on the websites as well. [Read more]

17 Oct 2022

Amid Hacker Probing for WordPress Plugin BulletProof Security, New Vulnerability Discovered in It

Last week we saw what appears to be a hacker probing for usage of the WordPress plugin BulletProof Security. That is, as you might guess based on the name, a security plugin. It has 40,000+ active installations according to wordpress.org and is promoted as “The Ultimate Website Security”. The requests are looking for the plugin’s readme.txt file:

/wp-content/plugins/bulletproof-security/readme.txt [Read more]

14 Oct 2022

The “Mark Zahra” Problem That the WordPress Community Deals With

The poor treatment of WordPress plugin developers by those in control of WordPress has recently gotten attention because of an odd, largely unexplained, situation involving removing a chart showing the install growth of plugins on their WordPress Plugin Directory pages.

One of the people that was prominently featured in the discussion over that was someone named Mark Zahra. He seems like a good example of an all too common archetype in the WordPress space. That would be someone who conflates things being done that benefit their own business interests with what is in the interest of the wider WordPress community and pushes an overly positive view of the community. That overly positive view contrasts with those people’s own behavior, which is harmful to others in the community who are actually focused on the interests of the wider community. One of his tweets gives a good flavor of what that looks like in 280 characters or less: [Read more]

13 Oct 2022

Wordfence is Claiming That WordPress Plugin Has Vulnerability Despite Having No Idea if That is True

In our monitoring of the WordPress Support Forum for discussions possibly discussing WordPress plugin vulnerabilities, we have recently been seeing a lot of topics involving vague claims coming from the WordPress security provider Wordfence, through their Wordfence Security plugin, that other WordPress plugins contain vulnerabilities. Here is one such message coming from Wordfence, mentioned in a topic:

The Plugin “WP Affiliate Platform” has a security vulnerability.
Type: Plugin Vulnerable
Critical
Details:
Plugin Name: WP Affiliate Platform
Current Plugin Version: 6.3.8 [Read more]

12 Oct 2022

Two Weeks On, Automattic’s WPScan and Patchstack Haven’t Warned About Vulnerability Impacting 600,000+ WordPress Websites

How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on.

As an example of what is happening, take Automattic’s WPScan, which as can be seen by their Twitter banner image, claims that with them with you would “be the first to know about new WordPress vulnerabilities” [Read more]

12 Oct 2022

Wordfence is Still Selling Non-Public Information on Unfixed Vulnerabilities to Hackers

The WordPress security provider Wordfence claims to engage in responsible disclosure of vulnerabilities:

Wordfence has been performing successful vulnerability research and responsible disclosure for over a decade. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Analysis