On April 6, the WordPress plugin XML Sitemaps (Google XML Sitemaps) was closed on WordPress’ plugin directory. The only information given was this vague message:
This plugin has been closed as of April 6, 2022 and is not available for download. This closure is temporary, pending a full review. [Read more]
We have recently been testing to see if we can improve our ability to detect vulnerabilities being introduced and fixed in WordPress plugins using machine learning. One of our interests in doing that is so that we can better deal with situation where developers don’t disclose that they are fixing or attempting to vulnerabilities in their plugins. That appears to have happened with the version of one of the most popular WordPress plugins, Essential Addons for Elementor, which has 1+ million active installs according to WordPress, that was released yesterday.
One of the machine learning models we are testing flagged the changes to the PHP code being made in that as having fixed a vulnerability. There is a changelog entry that indicates that a security change was being made to the plugin: [Read more]
It isn’t hard to find people citing the Cloudflare service as a good security solution for WordPress websites. What is lacking is any of those people citing evidence that Cloudflare provides effective protection for WordPress websites. If it was an effective solution, you would expect that Cloudflare would be the ones disclosing zero-day vulnerabilities, which are vulnerabilities being exploited before the developer is aware of them, in WordPress plugins, as there are plenty of those to be caught. Last week, for example, we disclosed serious unfixed vulnerabilities we found in two plugins based on seeing what looked to be hacker probing for them. We are not aware of Cloudflare disclosing any of those in recent years.
In March, Cloudflare announced they were “providing a Cloudflare WAF (Web Application Firewall) Managed Ruleset to all Cloudflare plans, free of charge”. In their announcement, they singled out including rules for WordPress in that: [Read more]
Partly because of the large number of false reports of vulnerabilities in WordPress plugins being put out by our competitors, we now put more focus on claims of vulnerabilities in plugins used by our customers. So once at least one of customers started using the plugin GA Google Analytics, our systems notified us we needed to review a report put out by one of the aforementioned competitors, Patchstack, last year on a claimed authenticated persistent cross-Site scripting (XSS) vulnerability the plugin.
The report is credited to “m0ze (Patchstack Red Team)”, so this was something coming directly from Patchstack, instead of just something they copied from somewhere else. [Read more]
Earlier today, Wordfence released an odd post on their blog. In the post they disclosed an incredibly easy to exploit a vulnerability in a WordPress plugin named Jupiter X Core, which allows anyone logged in to WordPress to change their role to Administrator. They claim to have engaged in “responsible disclosure” with this. While they didn’t provide what they labeled as a proof of concept, the information provides the equivalent of that. They are telling people to update version 2.0.8 of the plugin:
If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher. [Read more]
Recently, the WordPress security plugin Change wp-admin login, which has 70,000+ active installs according to WordPress, was updated to fix security vulnerabilities involving the changing of the plugin’s settings. That a security plugin was insecure seems concerning. More concerning was that the developer made two failed attempts to fix the vulnerability before finally addressing it. While looking into the situation, we found yet another concern; the developer isn’t telling honest.
Two weeks ago, a review of the plugin was made with this claim: [Read more]
The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability despite that vulnerability appearing to not exist. That isn’t the only recent instance of that happening.
Recently they claimed there had been a reflected cross-site scripting vulnerability in Anti-Malware Security and Brute-Force Firewall, which has 200,000+ installs. They wrote this (that is the whole sentence, they keep missing periods at the end of sentences): [Read more]
A little over a month ago we noted that Automattic’s WPScan didn’t appear to understand the concept of a backup plugin, as they claimed that 4+ million install WordPress backup plugin, All-in-One WP Migration, contained a vulnerability that:
allows administrators to upload PHP files on their site [Read more]
The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability (emphasis ours):
The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk [Read more]
One of the ways we are able to provide our customers with better information on vulnerabilities in WordPress plugins than our competitors is by monitoring the WordPress Support Forum for topics related to that. In addition to information useful for that, it alerts us to other mentions of security. Through that, we often find the moderators of that forum spreading misinformation to the WordPress community related to security. One such instance of that came over the weekend when a moderator, Yui, wrote this:
Otherwise, please note, there are no plugins with known unfixed vulnerabilities that remain active in WordPress plugin directory. [Read more]