As is often the case, Automattic’s WPScan got things wrong with a report on an authenticated arbitrary file upload vulnerability (which they labeled as a subscriber+ arbitrary file upload vulnerability) in Advanced uploader. Their report state this:
…
At the end of March we noticed what looked to be a hacker probing for usage of the plugin Pie Register and found that it contained a vulnerability that hackers would be interested in exploiting, an authenticated arbitrary file upload vulnerability because of insecure code for allowing the installation of WordPress plugins. It also contained several other vulnerabilities.
While working on improvements to our detection system and our firewall plugin related to that type of vulnerability, we found that over a month after that, the developer still hasn’t even attempted to address the vulnerabilities in another of their plugins, Page Builder Addons for WPBakery. [Read more]
The WordPress plugin Pie Register has had many vulnerabilities discovered in over the years, including multiple serious vulnerabilities that you would expect hackers to try to exploit. Despite that, WordPress states it has 5,000 active installs, so continued insecurity doesn’t appear to discourage people from using a plugin (though thankfully, none of the customers of our main service are currently using the plugin).
Over the weekend, we had what look to be a hacker probing for usage of the plugin on this website with a request for the following file: [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in another brand new plugin, VIRTUAL HDM FOR TAXSERVICE AM. We found another of these in a brand new plugin less than two weeks ago.
The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in the brand new plugin Vossle.
The review that is supposed to be done before new plugins can be added to the Plugin Directory should have caught that. It is something that would have been flagged by our Plugin Security Checker, so it would make sense to run plugins through that during that security review to avoid this type of situation continuing to happen. That it continues to happen speaks to the continued lack of interest in improving security by the leadership of WordPress (starting at the top with Matt Mullenweg) and the continued role we play in limiting the impact of that for everyone else. We would be happy to provide the Plugin Directory team free access to all of that tool’s capabilities and have repeatedly offered to do that, but we haven’t been taken up on that. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now expanded that for our customers, by running plugins used by our customers, even when code in them is not updated, through the same system on a weekly basis. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability in the plugin Elite Licenser Lite.
Based on what we saw with the code we reviewed as part of that vulnerability, there appear to be other security issues in the plugin. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability, as it was being introduced in to the plugin INK Official. That was the second time we caught that type of vulnerability being introduced in to a plugin in less than a week.
Based on the insecurity leading to this vulnerability, there may be additional security issues and vulnerabilities. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a less serious variant of one of those vulnerabilities, an authenticated arbitrary file upload vulnerability, as it was being introduced in to the plugin SCORM Cloud For WordPress.
The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]
August 13th the WP Tavern, which is owned by WordPress and Automattic head Matt Mullenweg, published a post written by Sarah Gooding that presented an inaccurate view of the state of the security of WordPress plugins. The post was about a report based in part on data from a security company named WPScan that has been inflating the number of vulnerabilities in WordPress plugins they claim to be aware of. The story didn’t address that inflation, but instead put forward this claim to explain what is actually being caused, at least largely, by that inflation:
Both Wordfence and WPScan claim that the greater number of vulnerabilities reported this year is indicative of the growth of the WordPress ecosystem and a maturing, healthy interest in security. Themes and plugins aren’t getting more insecure over time but rather there are more people interested in discovering and reporting vulnerabilities. [Read more]
One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a fairly serious vulnerability being introduced in to the plugin Delicious Recipes, an authenticated arbitrary file upload vulnerability.
The cause of this is a lack restriction on what types of files can be upload through the plugin’s functionality to upload a profile photo. The function upload_profile_image() in the file /src/dashboard/class-delicious-recipes-form-handler.php handles the AJAX request for that: [Read more]